Differences in approach to this problem taken by MasterCard, CardSystems, security experts, and the government

MasterCard put CardSystems on notice after the breach and its fellow credit card companies, Visa and American Express, both terminated their relationship with CardSystems. Both MasterCard and Visa also have the ability to impose six-figure fines against processors who do not follow their rules which include storing customer data when they are not supposed to. Besides no longer working with CardSystems, MasterCard has not done much. The high cost of new security measures is a major hurdle that most credit card companies do not want to deal with and MasterCard is one of those companies.

CardSystems lost of their major customers and had to stop its business operations and all of its assets were then acquired by CyberSource Corporation.

Security experts gave many ideas for solutions to improve security, but these solutions are ones that the credit card companies are not warming to because it costs a lost of money to protect customer data. If the purpose of expensive security measures are just to better protect customer data, companies will not want to make changes unless there some other motivation for them to do such as financial rewards.

In terms of the government, senators from states like New York and Florida are proposing bills to solve the problem of stolen customer data. They want bills that fines companies that do not comply with security standards and create security policies if they do not have one. These fines would be imposed by people outside the credit card companies and working with the government.

What is the best solution to this problem for the parties involved? Why? Do you think that MasterCard will be successful in solving this problem?

The best solutions are the bills proposed in New York and Florida. Companies must be watched over by people outside the company so that there is no conflict of interests. These bills also propose fines on companies they do not follow the rules. Fines will let companies know that they cannot get away with doing whatever they want. Fines let them know that when they do something wrong, they will be punished for it. Companies left alone will keep doing what they want if they are the ones taking care of their own security issues and just wait till something goes wrong before taking action. It should not happen this way. Incidents like the one that happened with CardSystems need to be stopped before anything actually happens happen.

MasterCard can solve this problem, but it will take a long time to solve the problem. Criminals are constantly coming up with new ways to break into company networks and steal information and have the ability to do so because their technology is getting better and bypassing security out in place by companies. MasterCard will be slow in making implementing the best security solutions that exist because it costs them money that they do not want to use and takes time away from their business.

Are there other solutions that should have been considered?

These solutions are a great idea for better protecting personal data and could help to reduce the number of accounts loss and prevent hackers from being able to access sensitive data. Hackers that are stopped may deter others trying to do the same thing. The legislative solutions are a particularly good idea because they hold companies responsible under the law. If companies are left alone to improve security of data, nothing would change until another breach occurs. Many companies wait until an incident occurs before they make any changes because it is costly to improve security and they also believe that their security does not have a problem.

What solutions were considered by MasterCard and the other companies that are dealing with this problem? Were the solutions appropriate?

Some solutions that were presented include stronger methods of customer identification, dedicated security staff, and improving internal controls so that employees cannot access any files not relevant to their jobs. Using complex passwords, smart cards, tokens, and biometric devices would strengthen password protection and strengthen their control over the data. The problem is though that these solutions cost money and many companies are not willing to spend the money to better protect their data unless there is some financial return.

Legislation is another way that can help protect consumer data nationwide and not just within certain companies. One data security expert believes that applying the Sarbanes-Oxley Act to personal data security would be a good solution and force companies to pay fines each time an account is lost. In New York, the democratic senator Charles Schumer proposed an Office of Identity Theft operating under the Federal Trade Commission. The office would set the minimum security standards for any companies handling sensitive personal data and fine the companies failing to uphold the standards. In Florida, senator Cliff Stearns proposed a similar bill that would require companies to create written data security policies.

Has MasterCard correctly identified the problem? What are the people, organization, and the technology issues associated with the problem?

MasterCard has been able to correct identify who was the culprit, what problem occurred, and where it happened, and believes that CardSystems lack of security allowed it to happen.

MasterCard, Visa, and American Express were the credit card companies that had customer credit card data stolen and exposed to the hacker. CardSytems was the third-party payment processing company that handled the processing of customer payments for all three companies. The technology issue that plagued these companies and led to the hacking incident was that the data was not encrypted allowing the hacker to get access to the data and try to make use of the data. Encryption might have been able to make the data useless or less valuable to the hacker, but not necessarily prevent the incident. Another issue is that customer data is supposed to be transferred to the banks, but CardSystems held on to customer data and stored it in its systems, something that they were not allowed to do. MasterCard has also said that CardSystems never demonstrated compliance with their security guidelines and never have. MasterCard seemed to fully recognize that there was a problem, but that they were not the ones to blame for it. They blamed CardSystems for the loss of their customer data and the security breach. CardSystems though says it has been audited by and independent auditor and approved by Visa payment associations.

What is the problem faced by MasterCard and the other credit card companies and banks in this case? What caused the problem? What is its impact?

What MasterCard and the companies involved had to deal with was one of the worst cases of
data theft ever. As much as 40 million credit card accounts were exposed and 200,000 were actually stolen in a hacking incident. The hacking incident took place at a payment processing company called CardSystems Solutions used by various credit card companies including MasterCard and American Express. 22 million Visa accounts, 13.9 MasterCard accounts, and a number of American Express and Discover card accounts were breached.

The incident occurred when a hacker was able to take advantage of the security vulnerabilities in the CardSystems network by placing script, a small computer program, on the network and therefore making it possible to gain access to credit card holder data. The data was not encrypted, which could have lowered the valuable of the data or even making it useless.

This incident led to Visa and American Express terminating their relationship with CardSystems and because the company no longer had these large clients, they were no longer able to function as a company and plans were later made by CyberSource Corporation to buy all the company’s assets. California consumers and retailers also files a class action lawsuit against CardSystems, Visa, and MasterCard due to violations against state law from failing to secure their networks properly and quickly notifying consumers after the incident occurred.