CardSystems Inc. was at the center of the nations largest known data security breach back in May, when it reported that someone had broken into its systems and stolen the details of as many as 40 million payment cards, including names, account numbers and expiration dates.
CardSystems might have been seen as the victim had it not admitted that it violated its contracts with Visa International Service Organization, American Express Co. and others, by failing to encrypt credit card transaction data and by keeping on file card verification numbers that are never supposed to be stored.
Those transgressions made the data theft much more dangerous, company officials conceded.
When CardSystems CEO John Perry testified to an investigating congressional committee in July, he said that an earlier audit, done by the Cable & Wireless Security unit now owned by Savvis Communications Corp., had failed to identify the encryption and data-retention problems.
Saavis officials said the systems they were told to look at were fine at that time and that either the problems were on other machines or the sloppy procedures began after their audit had wrapped up.
The challenge of using security audits properly, and understanding what their results do and do not reveal, is becoming a major issue in retail payment systems.
On Thursday, CardSystems announced that a new audit, from AmbironTrustWave, had been completed.