According to Julie Creswell and Eric Dash of The New York Times, the nation's largest credit card companies are still unsure which customer accounts were affected by a computer security breach at a processing company recently reported by MasterCard.
Data from approximately 200,000 MasterCard and Visa accounts, along with other credit card issuers, are known to have been stolen in the breach. MasterCard said that more than 40 million credit card accounts were exposed.
All of the largest credit card companies, such as Citigroup, J.P. Morgan Chase and MBNA, assured customers that they were carefully monitoring accounts and that customers would not be held responsible for fraudulent charges.
Most of the nation's credit card companies said they were still awaiting information from MasterCard and Visa about which accounts were in danger of fraudulent activity because of a security breach from last month at CardSystems Solutions, which processes payments for small to midsize businesses.
Visa and MasterCard began giving banks lists of the affected accounts last Friday. Visa said this process should be completed soon.
Christy Phillips, a spokeswoman for Wachovia Bank said that Wachovia does have customers that are affected, but the bank has not been told by Visa which accounts might be affected. She also said that a course of action will be decided once Wachovia receives that information.
Almost all the banks reported an increase in calls from customers concerned about their credit and debit card accounts. However, consumer advocates say there is no need to cancel accounts yet.
Edmund Mierzwinski, consumer program director at the U.S. Public Interest Research Group, said:
"Consumers should wait for notice from the bank. In the interim, if consumers have the ability to check credit and checking accounts online they should do that and if not, they should open and review their statements very carefully the next couple of months."
Jim Donahue, a spokesman for MBNA added:
"We're flagging any of the accounts that have been reported to us as at-risk in this incident. In situations where we can confirm that there has been suspicious activity, we will close and re-issue the account."
CardSystems recently admitted it had stored records containing thousands of cardholder names, account numbers, and security codes in violation of both MasterCard's and Visa's rules. The processor said that the information was stored for 'research purposes' to determine why some transactions were never authorized or completed. Data security specialists have questioned whether storing that information was necessary.
Merchant processors like CardSystems must undergo a yearly assessment along with quarterly network scans to meet compliance standards of credit card companies. The question remains as to why MasterCard would allow a processor that never met its security standards to handle at least 13.9 million of its cards.
In a statement issued by MasterCard, they said they do not allow processors that are in violation of their rules to process transactions and that as soon as they identified noncompliance, immediate action was taken to bring the processor into compliance. MasterCard also said it detected rule violations by CardSystems only when it began investigating this spring.
A CardSytems spokeswoman declined to comment, saying the company was continuing its investigation.
CardSystems underwent a Visa security audit in December 2003 and was certified by Visa in June 2004 as complying with Visa's security rules. Rosetta Jones, spokeswoman for Visa, said Visa did not find out that CardSystems was not complying with its policies until mid-May and that Visa was working quickly to bring the processor's security system back in line. She also stated:
"When we investigated, that's when we knew they were storing the data, and that's when they fell out of compliance."
We welcome your comments about credit card security in our popular credit forum!
Quotes and partial content for this article courtesy of the NY Times.