Forwarded from: security curmudgeon <jericho@private> Everyone grab their violins.. : http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465.html : : By Jonathan Krim : Washington Post Staff Writer : July 22, 2005 : : The head of a payment processing firm that was infiltrated by computer : hackers, exposing as many as 40 million credit card holders to possible : fraud, told Congress yesterday that his company is "facing imminent : extinction" because of its disclosure of the breach and industry's : reaction to it. : : "As a result of coming forward, we are being driven out of business," : John M. Perry, chief executive of CardSystems Solutions Inc., told a : House Financial Services Committee subcommittee considering : data-protection legislation. He said that if his firm is forced to shut : down, other financial companies will think twice about disclosing such : attacks. Hi Mr. Perry. I'm California law. I *require* you to come forward over such a breach. You don't have a choice, you were not being altruistic, you were not being overly ethical. You were following the laws. : Perry called the decisions by Visa and American Express draconian and : said that unless Visa reconsiders, CardSystems would close and put 115 : people out of work. : While Perry said his company is doing everything it can to ensure that : such a breach never occurs again, Visa said it could not overlook that : CardSystems knowingly violated contractual requirements for how long : credit card data were supposed to be stored and how they were secured. CardSystems signed a contract with Visa saying that data would meet certain technical security specifications, and that it would adhere to a policy regarding data retention. This compromise shows that *both* failed, and Visa is not happy with CardSystems breaking said contract. This is business 101 folks. I feel bad about most of the employees that will lose their jobs, but CardSystems failed them and they are paying the price. As a Visa and AmEx card holder, I am quite happy. : Neither Perry nor representatives of the major credit card companies : could explain at the hearing why an audit of CardSystems in 2003 did not : address its computer vulnerabilities or its practice of retaining some : data for research purposes. Hope it leaks out which security firm did this audit! _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 01:57:17 PDT