Sunday, June 19, 2005

Mastercard Debacle

Just this week it was revealed that almost 40 million credit cardholder's information may have been compromised through a breach at Cardsystems. Of the companies affected by the breach, Mastercard appears to be the most vocal. In my opinion, they appear to be hiding behind Cardsystem's noncompliance with Mastercard security practices as a way to salvage their public image.

CardSystems processes about $15 billion worth of transactions a year for Visa, Mastercard and a variety of smaller credit card providers.

Given the amount of data passing through the company, the casual observer may assume that Mastercard would care about Cardsystems security practices. According to a NY Times article, they must not:

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with the payment association's standards. "They were in violation of our rules," she said. ref.


So, Cardsystems never displayed compliance with Mastercard security standards? Mastercard has been a customer of CardSystems for at least 5 years. Given more than five years, how could a company like Mastercard that is ostensibly considered about customer security and confidentiality not conduct a security audit of Cardsystems?

Note: This timeframe was gathered based upon a quote taken from a former employee of the CardSystems corporation. The employee, Gary Knotts, claimed that CardSystems worked with "... Mastercard on compliance issues" while he was employed by Cardsystems in the late 1990s. (The original quote can be found here: link).

To answer this, let's take a look at the Mastercard security practices. These guidelines appear to have been recently updated. The entire set of compliance practices enforced by Mastercard can be found here.

As far as I can tell, their documentation for security is quite exhaustive. Per that site, Mastercard is supposed to ensure compliance of TPP (Third Party Processors) through annual onsite audits. Additionally, TPPs are responsible for quarterly network evaluations. According to my reading of the documents, it appears that these results must be submitted to Mastercard to ensure compliance.

On the other hand, if Mastercard classifies Cardsystems simply as a merchant, then its security requirements are a bit different. However, Mastercard still requires certain audits. Depending on the number of Mastercard transactions processed yearly, an annual onsite review may be required. For merchants processing greater than 20,000 transactions a year, a network security scan is required quarterly. Again, one would "assume" that these results must be sent to Mastercard. Given Mastercard's claims that 16,800 accounts are at high risk for compromise after the breach, it is not unreasonable to assume that Cardsystems processed more than 20,000 Mastercard transactions a year.

In either case, Mastercard customers could reasonably expect that Cardsystems would have been audited at least once in that five year period to ensure compliance. Why weren't they?

I understand that Cardsystems has openly admitted to having lax security procedures and inappropriately storing customer data, but it would also be nice to find out where Mastercard was in this whole mess!

In their defense, Mastercard does offer zero-liability protection so any charges made by theives using the stolen credit cards will not be seen by customers.

Hopefully lawmakers will join the fight to protect our identities. California lawmakers recently passed legislation that forces companies to report all security breaches. Hopefully other states will follow. This legislation does nothing to create a new data security standard, but it does ensure that any company allowing such a breach to occur will face intense public scrutiny. No company wants bad press and hopefully that will drive them to increase their security standards.

However, legislation can only go so far. Each company must use common sense and enforce upon itself a higher standard of security than is mandated by its partners. By challenging themselves to provide more than the minimum amount of data security, let's hope that these companies keep our data safe and situations like this never happen again.

No comments: