Contradictory Charges Rattle Data-Loss Case

During congressional testimony Thursday, executives from bank and credit card companies involved in the largest credit card data loss ever pointed fingers at a new culprit for gaps in security: the auditors who had certified the credit card processing systems as being up to snuff.

But in an interview with Ziff Davis Internet News, those auditors—who did not testify at the hearings—vehemently disagreed with the testimony and said one of the CEO witnesses was either lying or very mistaken.

The role played by the Cable & Wireless Security unit, now owned by Savvis Communications Corp., was made public during the testimony of David Watson, the chairman of Merrick Bank, which is one of seven banks that made payments to merchants who used CardSystems Solutions.

In May, CardSystems reported that someone had broken into its systems and stolen the details of as many as 40 million payments cards, including names, account numbers and expiration dates. The hearing was being held to see if new laws are needed to prevent such a situation from recurring.

Read more here about the security breach.

CardSystems officials have admitted that they violated their contracts with major credit card companies by storing customer-identifiable data from card magnetic stripes.

Watson testified that CardSystems used Cable & Wireless Security for a security audit in 2003, choosing from a Visa-approved list of auditors who could certify companies as complying with Visa’s CISP (Cardholder Information Security Program).

Cable & Wireless did indeed certify CardSystems, according to CardSystems CEO John Perry, who testified that he relied on that certification to be sure that the systems were compliant with CISP rules and that they weren’t retaining data they shouldn’t.

Merrick’s Watson testified that after the May break-in, his company brought in its own auditing team, Ubizen, to perform a forensic security audit. Ubizen discovered two problems.

“First, CardSystems retained certain transaction data on its system in clear violation of association rules. These data-retention practices were inconsistent with CISP standards, and it is unclear to us why the Cable & Wireless report did not note any objection to the practice, which was ongoing when the CISP certification was approved by Visa in 2004,” Watson testified. “Ubizen reports this data-retention practice had been followed by CardSystems since 1998.”

Ubizen also “identified certain issues with CardSystems servers and software, which were compromised by the intruder. The Cable & Wireless report did not make any mention of these system vulnerabilities,” Watson told the panel.

“Ubizen reports that CardSystems servers showed evidence of unauthorized activity as early as April 2004. The Ubizen report does not confirm, however, any actual data loss until May 2005.”

Next Page: Pointing fingers.