During congressional testimony Thursday, executives from bank and credit card companies involved in the largest credit card data loss ever pointed fingers at a new culprit for gaps in security: the auditors who had certified the credit card processing systems as being up to snuff.
But in an interview with Ziff Davis Internet News, those auditors—who did not testify at the hearings—vehemently disagreed with the testimony and said one of the CEO witnesses was either lying or very mistaken.
The role played by the Cable & Wireless Security unit, now owned by Savvis Communications Corp., was made public during the testimony of David Watson, the chairman of Merrick Bank, which is one of seven banks that made payments to merchants who used CardSystems Solutions.
In May, CardSystems reported that someone had broken into its systems and stolen the details of as many as 40 million payments cards, including names, account numbers and expiration dates. The hearing was being held to see if new laws are needed to prevent such a situation from recurring.
CardSystems officials have admitted that they violated their contracts with major credit card companies by storing customer-identifiable data from card magnetic stripes.
Watson testified that CardSystems used Cable & Wireless Security for a security audit in 2003, choosing from a Visa-approved list of auditors who could certify companies as complying with Visas CISP (Cardholder Information Security Program).
Cable & Wireless did indeed certify CardSystems, according to CardSystems CEO John Perry, who testified that he relied on that certification to be sure that the systems were compliant with CISP rules and that they werent retaining data they shouldnt.
Merricks Watson testified that after the May break-in, his company brought in its own auditing team, Ubizen, to perform a forensic security audit. Ubizen discovered two problems.