CardSystems Solutions and its successor Solidus Networks (which
does business as Pay By Touch) are also obliged to implement a
comprehensive information security programme.
The case hit the headlines in June last year after it was
revealed that security vulnerabilities in the systems of
Tucson-based CardSystems had allowed a hacker to infiltrate its
network and access cardholder data, putting cards of all brands at
the risk of fraud.
According to the FTC, CardSystems provided merchants with
products and services used in “authorisation processing” –
obtaining approval for credit and debit card purchases from the
banks that issued the cards. In processing these transactions,
CardSystems collected personal information from the magnetic strip
of the card, including the card number, expiration date, and other
data. CardSystems then stored this information on its computer
network.
The watchdog charges that CardSystems failed to provide
reasonable and appropriate security for this sensitive consumer
information.
According to the complaint, CardSystems not only created
unnecessary risks to the information by storing it, but it did not
then adequately assess the vulnerability of its computer network to
commonly known or reasonably foreseeable attacks.
The company did not implement simple, low-cost, and readily
available defences to such attacks, nor did it use strong passwords
to prevent a hacker from gaining control over computers on its
computer network and access to personal information stored on the
network.
In addition, says the FTC, CardSystems did not use readily
available security measures to limit access between computers on
its network and between its computers and the internet, nor did it
employ sufficient measures to detect unauthorised access to
personal information or to conduct security investigations.
“CardSystems kept information it had no reason to keep and then
stored it in a way that put consumers' financial information at
risk,” said Deborah Platt Majoras, Chairman of the FTC. “Any
company that keeps sensitive consumer information must take steps
to ensure that the data is held in a secure manner.”
The security breach resulted in millions of dollars in
fraudulent purchases and caused banks to cancel and re-issue
thousands of credit cards. On top of this, consumers experienced
inconvenience, worry, and time loss dealing with the affected
cards, according to the FTC.
