July 22, 2005

Data-Theft Case Proves Need For New Disclosure Law

By Evan Schuman, Ziff Davis Internet

Opinion: Top payment-system executives are trying to convince members of Congress that no new laws are needed for credit card payment security. But Retail Tech Editor Evan Schuman says the facts tell a very different story.

Top payment-system executives traveled to Washington on Thursday to try to convince members of Congress that no new laws are needed for credit card payment security, that the industry can police itself just fine. But the facts delivered during the testimony told a very different story.

What forced the hearing was a well-publicized security breach in May, when CardSystems Solutions reported that someone had broken into its systems and stolen the details of as many as 40 million payment cards, including names, account numbers and expiration dates.

CardSystems' CEO, John Perry, told the investigating panel that his people immediately called the FBI and reported the problem, and that the company told its sponsoring bank (Merrick Bank) and Visa a few days later.

Of its delay in briefing Visa, CardSystems said it wanted to know exactly what had happened and the FBI was investigating. When Visa learned of the news, it quickly told the world.

Proponents of the "everything's just fine as it is" school pointed to the situation as proof that the current rules are sufficient, that the industry can adequately police itself. Visa was repeatedly praised as having announced the break-in even though it was not legally required to do so.

But it was CardSystems' Perry who made the most convincing point of the day in favor of needing new laws when he testified that his company is facing a likely bankruptcy. He blamed it on having disclosed the incident to Visa.

"As a result of coming forward, CardSystems is being driven out of business," he said, adding that other companies are likely to have a strong disincentive to come forward if CardSystems is left to die.

The immediate cause of those financial problems are because Visa and American Express have already said they are going to stop using CardSystems.

Wait a second. CardSystems is not facing severe economic distress because it disclosed this incident. That's like a murderer complaining about living in prison and blaming it on police on the rationale that had the police not arrested him, he wouldn't be in prison.

Visa and American Express did not fire CardSystems because they disclosed. For that matter, Visa and Amex didn't even fire CardSystems because they were the victim of a criminal attack.

Visa and Amex fired CardSystems because CardSystems had blatantly violated two critical conditions of their contracts. Those violations were discovered because of the investigation of the break-ins, but that's beside the point.

CardSystems' two crimes were allowing the credit card data files to be readable (not encrypted) and keeping on file some consumer-identifying data from the cards' magnetic stripes. That's why CardSystems is in trouble, and no clever PR spin should allow us to forget that.

But CardSystems certainly had no monopoly on PR spin at Thursday's hearing. Isn't it remarkable that both American Express and Visa both decided on Tuesday to terminate CardSystems for this months-old incident?

It's more remarkable yet when you remember that they were both testifying before the committee on Thursday morning, so Tuesday announcements would be in the papers the day before the hearing, which is when committee aides are preparing the House representatives.

There's no doubt that the contract violations were the underlying reason for the terminations, but the timing of the hearing was certainly a factor. Gotta look like you're trying your best when facing members of Congress looking for a scapegoat.

Speaking of scapegoats, a new player was introduced into this mess Thursday, and it was Cable & Wireless Security, now owned by Savvis Communications. Cable & Wireless had performed an audit on CardSystems long before the incident, and that glowing audit report is what Visa pointed to as the reason it welcomed CardSystems into its group.

Quickly sensing a better scapegoat (political note: the best scapegoat is always the one not in the room), it seized on Cable & Wireless' audit as the problem here. Gosh, implied CardSystems' CEO, had only Cable & Wireless been doing its job, it would have discovered how lousy a job I was doing, and none of this would have happened. Shame on them!

In fairness, Cable & Wireless Security may indeed have missed some things in its audit, but when we spoke with the executive in charge of that auditing team (who apparently hadn't known of the congressional testimony until we called and brightened his day), he was quite convincing that the problems didn't exist on the machines they examined when they examined them.

This gets us into the age-old—and difficult to fix—problem with any kind of auditing. The auditor works for the company being audited. The auditor is allowed to examine only what the audited company provides. If Cable & Wireless was told that these machines over here were the only ones used for handling Visa transactions, they were limited to exploring those machines.

Even if those were the correct machines, it's only a snapshot of the days the audit happened. If the company starts getting sloppy (or worse), the day after the audit is completed, the auditor can't be blamed.

Visa also cited a lack of cooperation from CardSystems as one of its reasons for severing its relationship. (As a reporter who has never received a call back from CardSystems, I'll try not to comment that those charges certainly seem easy to believe.)

CardSystems defended its shortfall of answers to Visa by saying that some unidentified former employees of Cable & Wireless couldn't be found to answer those questions.

Cable & Wireless said no such people exist. The audit team consisted of four people, three of whom are still with the company, while the fourth left recently and is very easy to find.

Perry's point about the disincentives to disclose, however, is quite valid. Without a new law, these kinds of incidents won't happen less frequently. They'll merely be disclosed less frequently.

It's like the sleight of hand of the FBI's crime statistics. Television anchors typically say those numbers mean that the number of murders or burglaries or whatnot has gone up or down, but that's not at all what the reports say.

They merely say that the number of crimes reported and classified as murders or burglaries have gone up or down. There are lots of reasons why reports go up or down having little to do with the actual crime going up or down.

There's no question that lots of finger-pointing surrounds this problem, along with seemingly contradictory information. And there's also no question that it wouldn't be any better if it had all happened in secret.