MasterCard International Identifies Security Breach at CardSystems Solutions, A Third Party Processor of Payment Card Data
Purchase, NY, June 17, 2005 -
MasterCard International reported today that it is notifying
its member financial institutions of a breach of payment card
data, which potentially exposed more than 40 million cards of
all brands to fraud, of which approximately 13.9 million are
MasterCard International's team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.
Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached. Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor's systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.
CardSystems has already taken steps to improve the security of its system. However, MasterCard is giving it a limited amount of time to demonstrate compliance with MasterCard security requirements.
Importantly, in keeping with its standards that focus on consumer protection and the safeguarding of sensitive information, MasterCard immediately notified its customer banks of specific card accounts that may have been subject to compromise so they can take the appropriate measures to protect their cardholders.
In the event of a cardholder data breach, MasterCard always takes this precaution regardless of whether there is any indication that fraud has resulted and whether or not there has been a final determination that a security breach has or has not occurred. Upon receiving notice from MasterCard, banks are able to take the appropriate steps to protect their cardholders from potential fraud. No highly sensitive information, such as social security numbers or dates of birth or the like, are stored on MasterCard cards.
Consumers have strong protection if unauthorized charges are made on their MasterCard cards. In the U.S., MasterCard cardholders are protected by MasterCard's Zero Liability policy for unauthorized transactions on their accounts. If MasterCard cardholders have any reason to believe that their cards were used fraudulently, they should contact their issuing bank.
Protecting cardholders, preventing fraud, and safeguarding financial information are top priorities at MasterCard. The company maintains a global team of experts devoted to maintaining the integrity and security of its payment systems and who work closely with federal, state, and local law enforcement agencies to help in the apprehension of fraudsters and other criminals.
Federal Regulation of Data
While Congress continues to consider data breach notification standards, MasterCard urges them to enact wider application of Gramm-Leach-Bliley, the act that includes provisions to protect consumers' personal financial information held by financial institutions. Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers.