Visa and American Express punished credit card payment-processor CardSystems Solutions Inc. for a breach of its computer security that left 40 million account holders' records vulnerable to hackers by requiring banks that issue their cards to replace the servicer by October 31, 2005. The breach of security was not the only motivating factor. According to the Associated Press, both entities were troubled by the fact that the break-in apparently occurred much earlier than CardSystems Solutions Inc. at first admitted, and, more importantly, by the fact that the processor retained personal information on cardholders in violation of VISA and Amex rules and (we assume) in violation of their agreements with the banks for whom the processor processed card payments.
MasterCard has given the company until the end of August to correct deficiencies in its systems and procedures. VISA concluded that the processor could not correct those deficiencies.
A couple of obvious points: (1) make certain that the bank's contracts with payment processors contain provisions that meet not only the privacy and security requirements of the law (for example, those imposed by Gramm-Leach-Bliley and its implementing regulations), but the privacy and security requirements of other interested parties that might be imposed upon the bank and its contractors, such as VISA and Amex, and that permit the bank to terminate in a timely manner the processing agreement for a breach of those obligations; and (2) that even though a bank builds obligations into the contract, ongoing monitoring by the bank and/or a third party (such as an annual SAS 70 audit), is an essential part of a vendor management program.
This incident also demonstrates that "reputational risk" is real. The processor retained and used "for research purposes" personal data that it had agreed not to retain and use. Existing and future customers will have to consider carefully whether such an organization is to be trusted not to renege on its obligations in the future. That's an ugly fact of life.
---Kevin Funnell
Comments