Credit card companies may be able to limit the impact of hacker attacks on third-party partners, like the one reported last week, but analysts claim that there are no assurances it won’t happen again.
MasterCard said on Friday that
as many as 40 million credit card numbers may have been stolen due to an attack on CardSystems Solutions, a third-party processor of payment data in Tuscon, Ariz. The company claimed it was keeping customer card data, contrary to its agreement with MasterCard, for “research purposes.”
Of the compromised accounts, about 20 million are Visa, 14 million are MasterCard and the remainder are American Express, Discover and other brands.
Carmi Levy, an analyst with Info-Tech Research Group Inc., based in London, Ont., said credit card companies have relationships with hundreds of these third-party processors. Contractual obligations are designed to prevent the CardSystems incident from ever happening, but “it’s impossible for the credit card companies — with whom consumers and businesses have this relationship — to validate and verify that their third-party organizations are living up to their end of the bargain,” he said.
According to MasterCard Canada, 97 card holders may be at risk and those people have all been contacted. They would only be at risk if they had recently used their cards to make purchases in the U.S.
Both MasterCard and Visa offer their customers a “zero liability” policy, making them immune from purchases that were made without their consent. No confidential data, such as social insurance numbers or dates of birth, was put at risk as a result of the leak, according to the company.
The card holders may be protected, but when credit card numbers are used illegally, it’s the retailers that end up swallowing the cost of the purchase, said Richard Purcell, CEO of the Corporate Privacy Group, a consulting practice in Nordland, Wash.
“For Amazon, maybe that’s something they can tolerate, but for a smaller (retailer), that’s something that could be really harmful to them,” he said.
“Really, I think the harm is in the system itself in an overall way. Merchants suffer harm, consumers lose confidence; the whole idea of using technology gets lowered. These (credit card companies) don’t appreciate the value of what it is they’re protecting and transacting. Information is far more valuable than they realize. And I think the reason that there was a breach is that they’ve failed to realize that it’s that valuable.”
Louise Wardrop, head of operations for MasterCard Canada, said that third-party providers are continually monitored for signs of activities that could lead to a breach.
“Luckily this does not happen often,” she said. “Any time that it does, our processors, our banks are on heightened awareness.”
Third-party transaction processors are subject to reviews, she said, and are required to fill out performance questionnaires. “When we get those questionnaires in we assess the risks and make sure that if there is a risk, we’re on site to evaluate their security procedures.”
MasterCard isn’t planning to substantially change its policies and procedures with third-party providers, she said, “but we will continue to review them and monitor then and make sure that what we do have in place is working and make any adjustments to make sure that it doesn’t happen again.”
The Bank of Montreal, the largest MasterCard issuer in Canada, has been in touch with all of its card holders that may have been affected by the breach, according to spokesperson Ralph Marranca. The bank will issue any person deemed at risk with a new card next week.
“The good news is that we’ve got some pretty sophisticated systems in place. Criminals . . . understand that we have some pretty sophisticated equipment. We can move pretty quickly to mitigate or limit the amount of incidents that occur,” said Marranca.
“Any time something like this happens, you sit down with MasterCard and look at your processes and make sure your processes are working as they should. And look at if there’s anything more we can do or need to do.”
Credit card companies and their issuing institutions may be doing their best to limit the effects of a breach, said Levy, but as long as there are holes to be exploited, hackers will find them.
“The weakest link is where the hacker is going to focus his or her effort, the weakest link is where the breach is going to occur,” he said. “Do I think this is going to improve? No. There’s no way to control every single level of customer data along the chain, especially if you are outsourcing to such a great degree.”
“I guess you could say, ‘Never say never,’ unless you have a crystal ball,” said Wardrop. “But the point to reinforce is that we’re out all the time monitoring.”
Last year, MasterCard and Visa created the Payment Security Industry (PCI) Data Security Standard by aligning their data security programs. PCI, also supported by Amex, Diner’s Club, Morgan Stanley’s Discover Financial Services and JCB Co. Ltd., went into effect in January 2005. PCI is designed to allow merchants and third party providers to measure the effectiveness of their security measures. CardSystems Solutions did not comply with these measures, according to MasterCard.
The rules and policies that credit card companies have in place for dealing with issuers and third-party processors are generally sufficient, said Purcell, but they may have to become more vigilant about enforcing them.