For Release: February 23, 2006%%N%%NIn the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.%%N%%NThis is the ninth FTC case targeting companies whose security practices compromised consumers' confidential financial information, and the first the Commission has brought against a credit card processor.%%N%%N“CardSystems kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk,” said Deborah Platt Majoras, Chairman of the FTC. “Any company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner.”%%N%%NAccording to the FTC, CardSystems provided merchants with products and services used in “authorization processing” – obtaining approval for credit and debit card purchases from the banks that issued the cards. Last year, it processed about 210 million card purchases, totaling more than $15 billion, for more than 119,000 small and mid-size merchants. In processing these transactions, CardSystems collected personal information from the magnetic strip of the card, including the card number, expiration date, and other data. CardSystems then stored this information on its computer network. Pay By Touch acquired CardSystems' assets in December 2005, and now processes transactions for the same merchants CardSystems served.%%N%%NThe FTC charged that CardSystems engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. Specifically, the agency alleges that CardSystems:%%N%%N* created unnecessary risks to the information by storing it;%%N* did not adequately assess the vulnerability of its computer network to commonly known or reasonably foreseeable attacks, including “Structured Query Language” injection attacks;%%N* did not implement simple, low-cost, and readily available defenses to such attacks;%%N* did not use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;%%N* did not use readily available security measures to limit access between computers on its network and between its computers and the Internet; and%%N* failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.%%N%%NAccording to the FTC's complaint, these practices compromised millions of credit and debit cards, and led to millions of dollars in fraudulent purchases. In addition, after the fraud was discovered, banks cancelled and re-issued thousands of credit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards.%%N%%NThe proposed settlement requires CardSystems and Pay By Touch to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms that its security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions.%%N%%NThis case is similar to prior FTC actions involving alleged failures to secure credit and debit card information. As in the prior cases, CardSystems faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach.%%N%%NThe Commission vote to accept the proposed consent agreement was 4-0, with Commissioner Pamela Jones Harbour recused. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 27, 2006, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC requests that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.%%N%%NCopies of the complaint and consent agreement are available from the FTC's Web site at www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at www.ftc.gov/ftc/complaint.htm. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad. %%N%%NSource: FTC press release
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information: bankcardlife.com?orid=33533&opid=1 .
Source: Company press release.
FIBT transitions to 4th generation of family leadership
AtoB, Maverik to offer discounts to fuel card customers
Trulioo transactions surge 34% for global marketplaces
UnionPay aims to make payments easier for global visitors to China
Installment payments boost global companies' revenue in Brazil
Aghanim offers instant payouts for mobile game developers
Alchemy Pay registered under Visa's Ramp Provider Program