CardSystems Solutions President and CEO John Perry appeared before a House subcommittee Thursday to testify how the payment processor’s network was breached, exposing thousands of credit cards to potential fraud.
The House Financial Services Subcommittee on Oversight and Investigations held the hearing to investigate data security in the payment card industry.
“First and foremost, we truly regret this occurrence of data theft,” Perry said in a prepared statement. “We have repeatedly acknowledged our error, and are committed to making sure it does not happen again.”
The breach occurred last September, when an intruder placed a script on CardSystem’s platform through an internet-facing application that customers use to access data, he said. The script was designed to export data and succeeded May 22 in snatching files containing records on 239,000 account numbers.
The script searched for records with track data – the data on a card’s magnetic stripe and contains identifying data.
“As we have repeatedly acknowledged, our error was that the data was kept in readable form in violation of Visa and MasterCard security standards,” Perry said, adding that the company no longer stores track data.
Perry assured lawmakers that it is unlikely the incident led to identity theft because CardSystems does not have access to data such as Social Security numbers. The company also has not been aware of any incidents of fraud related to the breach.
He said the company is taking steps to prevent future security breaches and is focused on complying with Visa and MasterCard’s PCI (Payment Card Industry) standards.
Earlier this week, Visa and American Express said they will no longer allow CardSystems to process their tranactions as of Oct. 31.
In a statement to the committee, Visa said it “cannot overlook the significant harm the data compromise and CardSystems’ failure to maintain the required security protections has had on Visa member financial institutions and merchants as well as the significant concerns it has raised for cardholders.”
Visa said it spends more than $300 million each year to protect cardholder data and reduce fraud. Fraud within the Visa system “is at an all-time low of just five cents per $100 transacted,” the company testified.
Also scheduled to appear at Thursday’s hearing were representatives of MasterCard, American Express, and Merrick Bank – CardSystems bank sponsor.