[ news_security_news ]
CardSystems Solutions Redux: The Settlement
John Stith
Staff Writer
2006-02-23
 Insider Reports RSS Feed
The company CardSystems Solutions reached a settlement with the Federal Trade Commission (FTC). They were part of the ninth and largest financial data breach in history, compromising tens of millions of people's financial information.
Earlier this year, a storm surrounded third-party credit card processing firm CardSystems Solutions and its successor, Solidus Networks Inc. The breach received a lot of attention because the company processed large volume of credit purchases, hitting 210 million credit card purchased totaling over $15 billion for more than 119,000 merchants.
The problem came in when CardSystems kept the data stored in the magnetic strip that included all the nice bits of information including card numbers, pin numbers, expiration dates and other personal data. This was a huge problem on a number of levels because not only did storing this information violate the contracts they had with companies like Visa, it also got them into a federal investigation. The FTC announced that settlement today.
"CardSystems kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk," said Deborah Platt Majoras, Chairman of the FTC. "Any company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner."
The charges levied include:
· created unnecessary risks to the information by storing it;
· did not adequately assess the vulnerability of its computer network to commonly known or reasonably foreseeable attacks, including "Structured Query Language" injection attacks;
· did not implement simple, low-cost, and readily available defenses to such attacks;
· did not use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;
· did not use readily available security measures to limit access between computers on its network and between its computers and the Internet; and
· failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.
The proposed settlement requires CardSystems and Pay By Touch to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain - every two years for the next 20 years - an audit from a qualified, independent, third-party professional that confirms that its security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions.
The FTC assessed no financial penalties, however, as they point out, CardSystems could still face punitive actions from financial institutions and individuals who've experiences some loss.
This decision comes as Congress begins to consider a bill regarding the storage of consumer information. It stems from cases just like this one.
Get all the updates - click this link: 
Add to | DiggThis| Yahoo My Web
About the Author:
John is a staff writer for SecurityProNews covering cyber security.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
