Monday, June 20, 2005

Lost Credit Data Improperly Kept, Company Admits

Eric Dash writes in the NY Times:

The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining those records.

The official, John M. Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

"We should not have been doing that," Mr. Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files."

Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.

"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."


0 Comments:

Post a Comment

<< Home