Contradictory Charges Rattle Data-Loss Case

By Evan Schuman  |  Posted 2005-07-21 Print this article Print

CardSystems, a credit card processing company accused of improperly storing private data fingers the auditor in congressional testimony, and the executive points a finger right back, calling charges "total, total disinformation."

During congressional testimony Thursday, executives from bank and credit card companies involved in the largest credit card data loss ever pointed fingers at a new culprit for gaps in security: the auditors who had certified the credit card processing systems as being up to snuff. But in an interview with Ziff Davis Internet News, those auditors—who did not testify at the hearings—vehemently disagreed with the testimony and said one of the CEO witnesses was either lying or very mistaken. The role played by the Cable & Wireless Security unit, now owned by Savvis Communications Corp., was made public during the testimony of David Watson, the chairman of Merrick Bank, which is one of seven banks that made payments to merchants who used CardSystems Solutions.
In May, CardSystems reported that someone had broken into its systems and stolen the details of as many as 40 million payments cards, including names, account numbers and expiration dates. The hearing was being held to see if new laws are needed to prevent such a situation from recurring.
Read more here about the security breach. CardSystems officials have admitted that they violated their contracts with major credit card companies by storing customer-identifiable data from card magnetic stripes. Watson testified that CardSystems used Cable & Wireless Security for a security audit in 2003, choosing from a Visa-approved list of auditors who could certify companies as complying with Visas CISP (Cardholder Information Security Program). Cable & Wireless did indeed certify CardSystems, according to CardSystems CEO John Perry, who testified that he relied on that certification to be sure that the systems were compliant with CISP rules and that they werent retaining data they shouldnt. Merricks Watson testified that after the May break-in, his company brought in its own auditing team, Ubizen, to perform a forensic security audit. Ubizen discovered two problems. Read the full story on Contradictory Charges Rattle Data-Loss Case
Evan Schuman is the editor of's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others. He can be reached by e-mail at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel