CardSystems Solutions Inc. and its successor, Solidus Networks Inc. (doing business as Pay By Touch Solutions), have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law.
The proposed settlement requires CardSystems and Pay By Touch to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms the security program meets the standards of the order, and to comply with standard bookkeeping and recordkeeping provisions. CardSystems also faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach.
In September 2004, a hacker broke into CardSystems’ Web-based database of customer information. The hacker obtained unauthorized access to magnetic stripe data for tens of millions of credit and debit cards. In early 2005, issuing banks began discovering several million dollars in fraudulent credit and debit card purchases that had been made with counterfeit cards. The counterfeit cards contained complete and accurate magnetic stripe data, including the security code used to verify that a card is genuine, and thus appeared genuine in the authorization process.
According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. In addition, after the fraud was discovered, banks canceled and reissued thousands of credit cards, and consumers experienced inconvenience, worry, and lost time in dealing with the affected cards. The case was the largest known compromise of financial data to date.
The CardSystems case represents the ninth in which the FTC has targeted companies whose security practices compromised consumers’ confidential financial information. It was the first the commission brought against a credit card processor.
“CardSystems kept information it had no reason to keep and then stored it in a way that put consumers’ financial information at risk,” said Deborah Platt Majoras, chairman of the FTC. “Any company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner.”
CardSystems provided merchants with products and services used in “authorization processing”—obtaining approval for credit and debit card purchases from the banks that issued the cards. According to the FTC, in 2005 the company processed about 210 million card purchases, totaling more than $15 billion, for more than 119,000 small and medium-size merchants.
The FTC charged that CardSystems engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. Specifically, the agency alleged that CardSystems created unnecessary risks to the information by storing it;did not adequately assess the vulnerability of its computer network to commonly known or reasonably foreseeable attacks, including “Structured Query Language” injection attacks;did not implement simple, low-cost, and readily available defenses to such attacks;did not use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;did not use readily available security measures to limit access between computers on its network and between its computers and the Internet, andfailed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.
Pay By Touch acquired CardSystems’ assets in December 2005 and now processes transactions for the same merchants CardSystems served.
