ARLINGTON, Va. – It may take another week for credit unions around the country to gauge how much damage has been done to themselves and their members who might have been caught up in the most recent major card security breach. CardSystems Solutions, a card processing firm headquartered in Atlanta, confirmed MasterCard's June 17 statement that data from some 40 million cards, 13.9 million MasterCard's and the balance spread over other brands, had been compromised. Company CEO John Perry has stated in media reports about the breach that the company was keeping the data for "research" and acknowledged that it should not have been keeping it. But Sharon Gamsin, a spokesman for MasterCard, said that the number two card brand was not prepared to discuss any fines, sanctions or penalties for the firm even though it had violated the card brand's regulations for data security, and she seemed to signal that no penalties would be forthcoming. "You know, they have been very cooperative and pro-active about letting us know what happened and what has been going on," Gamsin said. "And they have put procedures in place to keep a similar breach from happening again and that is the important thing." But the timeline of this breach called into question how quickly CardSystems acted to inform everyone. According to Gamsin, MasterCard had received notices from some of its issuers indicating "small pockets" of fraud as early as the end of March and asked CardSystems to investigate. As of press time, both MasterCard and Visa have begun to report the card account numbers which belong to credit unions and which have been identified as compromised in the breach to credit union card processors such as PSCU Financial Services, Certegy and TNB Card Services. As these firms have identified the credit unions which own those accounts, they have sent the information on to them so they can notify members. Both Gamsin and Merry Pateuk, spokesman for PSCU Financial Services, were at pains to point out that while 40 million card accounts were compromised in the breach, a relatively low number – media reports said 200,000 – were actually stolen. As far as MasterCard knew, Gamsin said, only 68,000 accounts were actually moved off the CardSystems computers and are thus at the highest risk for fraud. She also echoed Pateuk's point that the data lost in the breach was merely the card numbers, expiration dates and security codes for the transactions, not other data such as social security numbers or addresses, data which could be used to mount identity theft. "The bottom line is that financial losses are at risk here," Gamsin said, "and not identity theft." Visa has not been available for comment on the breach. Meanwhile the steady flow of card data from hacked companies, processors and retailers continues to feed an apparently growing online black market for the stolen data. A June 21 article in the New York Times reported that Gold Visa and MasterCard numbers and data go for $100 in online chatrooms on Web sites created for the purpose of trading the data. The existence of these Web sites facilitates the movement of stolen data away from the U.S. or Europe and into the former Soviet Union or Asia where it can be used and sold multiple times until the fraud is finally detected. But Stan Paur, CEO of Pulse, the EFT branch of Discover and former ATM and EFT association said he doubted there would be too much consumer impact from the card security breaches – as long as the payments industry took care to attack the fraud and security breach problem head on. "Everyone in the payments industry has a responsibility to address consumers' concerns about fraud and card data safety as quickly and as thoroughly as the can," Paur said, "and to put into place protections such as neural networks which will help prevent fraud from happening even if card numbers are compromised." Paur related the story of a former executive with MasterCard who decided on a trip to London to purchase a dress for his wife. Even though he was an executive with the card brand, his first attempt to make the purchase with a MasterCard was turned down because the network thought the purchase was out of pattern for that card. "Consumers have to be able to be confident that any payment system has the smallest risk of fraud possible," Paur said. But he also added that every payment system across history has been attacked by fraudsters and that he expected fraud attacks on cards would grow as they took a steadily larger share of the payments market. -


[email protected]

Complete your profile to continue reading and get FREE access to, part of your ALM digital membership.

  • Critical information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including and

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.