The barrage of troubling enterprise security breaches continued last month when MasterCard International announced that a lapse on the part of its partner, CardSystems Solutions, had exposed 68,000 customers to a high risk of theft.
As a third-party payment processor for MasterCard, Visa and American Express, CardSystems had access to vast amounts of customer data—most of which it was not supposed to keep on its servers but, rather, discard after transaction processing. In addition, much of the data was stored unencrypted, despite the credit card companies requirements to the contrary.
CardSystems has even acknowledged that it kept the three-digit security codes—the codes that are supposed to make a credit card number alone insufficient—in the same unencrypted store with those account numbers.
This incident also brings to light more serious issues regarding inappropriate data usage. CardSystems has claimed that it retained data for the purpose of investigating spurious reports of failure to complete transactions. We dont think that reason is good enough—especially when CardSystems was under a contractual obligation to encrypt the data on hand and discard it as soon as possible.
Whatever CardSystems claims it was using the data for, its excuses do nothing to cushion the blow to the thousands of credit card holders who faced elevated risks of fraud. Credit card issuers such as Citigroup, JPMorgan Chase and MBNA America Bank should reverse their current policy of not notifying cardholders unless their accounts are defrauded.
Such disclosures are mandated by the California Security Breach Information Act, in effect since July 1, 2003, which requires companies based in California or with customers in California to notify the customers whenever their unencrypted personal information may have been compromised.
The incident should serve as a wake-up call for every company to take a fresh look at what kind of data it keeps, for how long and in what form—and to discard data, or replace it with statistics for future research or reporting, at the earliest opportunity. Data that is no longer stored cant be snooped.
Until a better alternative comes along, credit cards will play a crucial role in the economy. But with the sheer number of mergers and acquisitions—not to mention bankruptcies—occurring today, a large amount of data is floating around in a vulnerable state.
Whether that data is stored internally or by a third-party partner, a failure on the part of any organization to set and follow strict guidelines on whether the data should be stored at all and when it should be discarded makes storage vendors rich today—and could make plaintiffs attorneys richer tomorrow.
Corporate executives and IT managers must work together to define how their companies store and use sensitive data. Then they must consistently implement the practices they define.
Tell us what you think at [email protected].