Data-Theft Case Proves Need For New Disclosure Law

Top payment-system executives traveled to Washington on Thursday to try to convince members of Congress that no new laws are needed for credit card payment security, that the industry can police itself just fine. But the facts delivered during the testimony told a very different story.

What forced the hearing was a well-publicized security breach in May, when CardSystems Solutions reported that someone had broken into its systems and stolen the details of as many as 40 million payment cards, including names, account numbers and expiration dates.

CardSystems’ CEO, John Perry, told the investigating panel that his people immediately called the FBI and reported the problem, and that the company told its sponsoring bank (Merrick Bank) and Visa a few days later.

Of its delay in briefing Visa, CardSystems said it wanted to know exactly what had happened and the FBI was investigating. When Visa learned of the news, it quickly told the world.

Proponents of the “everything’s just fine as it is” school pointed to the situation as proof that the current rules are sufficient, that the industry can adequately police itself. Visa was repeatedly praised as having announced the break-in even though it was not legally required to do so.

But it was CardSystems’ Perry who made the most convincing point of the day in favor of needing new laws when he testified that his company is facing a likely bankruptcy. He blamed it on having disclosed the incident to Visa.

“As a result of coming forward, CardSystems is being driven out of business,” he said, adding that other companies are likely to have a strong disincentive to come forward if CardSystems is left to die.

To read more about CardSystems’ CEO complaining to Congress about his company’s “imminent extinction,” click here.

The immediate cause of those financial problems are because Visa and American Express have already said they are going to stop using CardSystems.

Wait a second. CardSystems is notfacing severe economic distress because it disclosed this incident. That’s like a murderer complaining about living in prison and blaming it on police on the rationale that had the police not arrested him, he wouldn’t be in prison.

Visa and American Express did notfire CardSystems because they disclosed. For that matter, Visa and Amex didn’t even fire CardSystems because they were the victim of a criminal attack.

Visa and Amex fired CardSystems because CardSystems had blatantly violated two critical conditions of their contracts. Those violations were discoveredbecause of the investigation of the break-ins, but that’s beside the point.

CardSystems’ two crimes were allowing the credit card data files to be readable (not encrypted) and keeping on file some consumer-identifying data from the cards’ magnetic stripes. That’swhy CardSystems is in trouble, and no clever PR spin should allow us to forget that.

But CardSystems certainly had no monopoly on PR spin at Thursday’s hearing. Isn’t it remarkable that both American Express and Visa both decided on Tuesday to terminate CardSystems for this months-old incident?

It’s more remarkable yet when you remember that they were both testifying before the committee on Thursday morning, so Tuesday announcements would be in the papers the day before the hearing, which is when committee aides are preparing the House representatives.

There’s no doubt that the contract violations were the underlying reason for the terminations, but the timing of the hearing was certainly a factor. Gotta look like you’re trying your best when facing members of Congress looking for a scapegoat.

Next Page: The making of a better scapegoat.