Utah bank says big breach put its data at risk
New reports in CardSystems scandal suggest that the scope of the data theft is even more serious than previously thought.
The Utah institution, Merrick Bank, began using CardSystems Solutions--the processor from which the information was stolen--when it bought a portion of Provident Bank's merchant business in November 2004. Merrick acknowledged Wednesday that CardSystems had not complied with Visa and MasterCard's security standards, but would not say when it became aware that the company was not following the rules, or whether the violations occurred under its watch.
The timing is important because those violations have placed Visa, MasterCard and American Express cardholders at risk for fraud. It is also critical because those payment companies have said that banks that hire third-party processors are responsible for ensuring that those companies are in compliance.
In a statement, Merrick said it was "committed to ensuring that all the necessary steps are taken by CardSystems to quickly resolve the problems that allowed the incident to occur." Merrick said that CardSystems had already made a number of changes, and with the help of an outside security consultant would complete any remaining changes shortly.
A CardSystems spokeswoman declined to comment because of several investigations.
The news from Merrick comes as the scope of the security breach becomes even more serious than previously thought. The National Australia Bank said Wedneday that it had detected fraudulent activity on a few hundred MasterCard and Visa accounts as early as November 2004. That suggests that the consumer data was missing for at least six months, and possibly longer, between the time the theft occurred and when MasterCard said it could trace it back to the processor.
It also offers a somewhat different timetable than the ones MasterCard, Visa and CardSystems have provided. According to Jeff Lynch, a National Australia Bank spokesman, the suspicious activity prompted the bank to conduct an investigation. By mid-January, it was able to home in on CardSystems as the source, and the bank says it notified MasterCard, Visa and other Australian banks around that time.
MasterCard has said it did not detect atypical fraud levels until mid-April, when it was alerted by several banks and then began investigating; CardSystems and Visa said they did not start until May.
Over the last few days, cardholders in Australia, Japan, China and elsewhere in Asia have been told that their accounts are now at risk. Even though American processors handle transactions made on American soil, any foreign traveler to the United States or shopper who visited an American retailer online may have found account information exposed.
The credit card industry is organized so that many of a bank's important functions are contracted out to third-party providers. A so-called sponsoring bank, like Merrick, handles accounts for thousands of merchants. But the processing of the transactions is outsourced to a third-party company like CardSystems.
Merrick said it had worked closely with credit card payment associations and law enforcement authorities since learning of the breach.
Both the FBI and a federal financial regulators are investigating CardSystems, which says it is cooperating. Merrick declined to say if it had been contacted.
Merrick's disclosure raises more questions about the oversight of security controls in an industry where processing companies are largely unregulated, even though they handle millions of consumer records each day. While Visa and MasterCard provide a list of security requirements in order to link to their networks, it is up to the bank that hires the processor to ensure that it is following the rules.
The associations, like Visa and MasterCard, require that outside processors pass an annual security audit and have their computer networks scanned every quarter. Processors are required to register with the associations, but the results of the network scans are provided to the bank that contracts for their services and is available to Visa or MasterCard only upon request.
Merrick declined to comment on the last time it reviewed the results of the security audit or scan.
Wayne Arnold contributed reporting from Kuala Lumpur, Malaysia, for this article.