Top payment-system executives traveled to Washington on Thursday to try to convince members of Congress that no new laws are needed for credit card payment security, that the industry can police itself just fine. But the facts delivered during the testimony told a very different story.
What forced the hearing was a well-publicized security breach in May, when CardSystems Solutions reported that someone had broken into its systems and stolen the details of as many as 40 million payment cards, including names, account numbers and expiration dates.
CardSystems CEO, John Perry, told the investigating panel that his people immediately called the FBI and reported the problem, and that the company told its sponsoring bank (Merrick Bank) and Visa a few days later.
Of its delay in briefing Visa, CardSystems said it wanted to know exactly what had happened and the FBI was investigating. When Visa learned of the news, it quickly told the world.
Proponents of the “everythings just fine as it is” school pointed to the situation as proof that the current rules are sufficient, that the industry can adequately police itself. Visa was repeatedly praised as having announced the break-in even though it was not legally required to do so.
But it was CardSystems Perry who made the most convincing point of the day in favor of needing new laws when he testified that his company is facing a likely bankruptcy. He blamed it on having disclosed the incident to Visa.
“As a result of coming forward, CardSystems is being driven out of business,” he said, adding that other companies are likely to have a strong disincentive to come forward if CardSystems is left to die.
The immediate cause of those financial problems are because Visa and American Express have already said they are going to stop using CardSystems.
Wait a second. CardSystems is not facing severe economic distress because it disclosed this incident. Thats like a murderer complaining about living in prison and blaming it on police on the rationale that had the police not arrested him, he wouldnt be in prison.
Visa and American Express did not fire CardSystems because they disclosed. For that matter, Visa and Amex didnt even fire CardSystems because they were the victim of a criminal attack.
Visa and Amex fired CardSystems because CardSystems had blatantly violated two critical conditions of their contracts. Those violations were discovered because of the investigation of the break-ins, but thats beside the point.