Fixed Isnt Good Enough for Payment Protection

News Analysis: CardSystems violated contracts by not encrypting data and retaining data it wasn't supposed to-and then became the nation's largest data-theft victim. Now it wants bygones to be bygones.

When credit card processing firm CardSystems announced Thursday that an independent auditor had declared its systems sound, one CardSystems executive said he now wants Visa and American Express to take it back.

CardSystems Inc. was at the center of the nations largest known data security breach back in May, when it reported that someone had broken into its systems and stolen the details of as many as 40 million payment cards, including names, account numbers and expiration dates.

CardSystems might have been seen as the victim had it not admitted that it violated its contracts with Visa International Service Organization, American Express Co. and others, by failing to encrypt credit card transaction data and by keeping on file card verification numbers that are never supposed to be stored.

Those transgressions made the data theft much more dangerous, company officials conceded.

When CardSystems CEO John Perry testified to an investigating congressional committee in July, he said that an earlier audit, done by the Cable & Wireless Security unit now owned by Savvis Communications Corp., had failed to identify the encryption and data-retention problems.

Saavis officials said the systems they were told to look at were fine at that time and that either the problems were on other machines or the sloppy procedures began after their audit had wrapped up.

The challenge of using security audits properly, and understanding what their results do and do not reveal, is becoming a major issue in retail payment systems.

On Thursday, CardSystems announced that a new audit, from AmbironTrustWave, had been completed.

/zimages/5/28571.gifRead the full story on Fixed Isnt Good Enough for Payment Protection

/zimages/5/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.