Contradictory Charges Rattle Data-Loss Case - ' Pointing Fingers ' (
Page 2 of 2 )
A Visa executive who was testifying—Steve Ruwe, Visa USA's executive vice president for operations and risk management—testified that Visa has asked Savvis to explain the discrepancy, has temporarily suspended using Savvis and is asking Savvis is revalidate earlier audits.
"Card Services is fighting for its life" said Richard Stiennon, vice president of threat research at Webroot, a Boulder, Colo.-based anti-spyware vendor.
Finger-pointing is useless, he said. "If you are installing unencrypted data on your machine, you are responsible," Stiennon said.
CardSystems' Perry even pointed to Cable & Wireless as a reason why his company couldn't answer all of Visa's questions. Perry testified that he "tried to contact former employees of Cable & Wireless" who had been involved in the audit, and "it was very difficult to track a lot of these people down."
But Bill Hancock, chief security officer at Savvis—who was chief security officer for Cable & Wireless at the time of the audits—directly contradicted Perry's testimony and defended his company's audit in an interview with Ziff Davis Internet News.
Hancock said the audit team for CardSystems consisted of four people. Three of those people still work at Savvis and the fourth recently left, and Hancock said he knows exactly where he is. Calls placed to CardSystems to address the discrepancy went unreturned.
As for Perry's congressional testimony about the missing former employees, Hancock said, "That is total, total disinformation."
"It's typical stuff," Hancock said. "Whoever's not in the room, let's blame them."
Asked if he thought Perry was lying, Hancock said that was a distinct possibility. He later said some of Perry's CardSystems employees who had been involved in the audit process had left the company, and maybe Perry had gotten confused and was referring to his difficulties in trying to reach his own former employees.
As to the core issue of the quality of the audit, Hancock said the improperly retained magstripe data was absolutely not on any of the machines that his team inspected; the team's mission was to inspect all of the machines that were involved with Visa transactions.
"The truth is that the people who did the audit are card-carrying certified information systems professionals," Hancock said. "We examined the systems and there was nothing there. The systems were directly examined. We were very meticulous about that."
During this kind of security audit, the audited company—CardSystems in this case—tells the auditors the relevant computers to examine.
If CardSystems was improperly retaining data at the time of the audit, Hancock said, the data must have been on a machine that was not among those that CardSystems identified as being relevant to the audit.
The audit "was done correctly. We don't examine every stinking computer," Hancock said, adding that auditors are limited to machines that are identified as relevant.
"In the boxes that we were told did the Visa processing, there was no evidence of mag [stripe] data being kept. But was it being kept 15 feet away?" Hancock asked. "If they had this stuff on a completely separate system, there is no way that any auditor would ever find this kind of information."
Magstripe data could have been added to the certified machines after the audit as well, Hancock said. "What happened post to [the audit], I don't know," he said.
Evan Schuman can be reached at Evan_Schuman@ziffdavis.com.
Check out eWEEK.com's for the latest news, views and analysis on technology's impact on retail.
