The credit card system's weak link?

updated 10:24 a.m. ET June 21, 2005

The criminal exploit that exposed 40 million credit card accounts to possible fraud is shedding light on an arcane but sensitive piece of the financial industry: the hundreds of companies that process transactions between merchants and card issuers.

While enormous in scope, the breach disclosed Friday at CardSystems Solutions Inc. was by no means the first such attack on a card processor.

Many analysts believe that banks and credit card companies, despite working hard to tighten their own security, have failed to force payment processors to maintain similar standards.

"They're not being watched carefully enough," said Avivah Litan, an analyst with Gartner Inc.

In recent years, card associations such as Visa and MasterCard have set up security requirements for processors to follow. No laws in particular govern this program, but the card associations can impose fines of several hundred thousand dollars for transgressions.

However, Litan said proactive audits of companies like CardSystems don't really happen.

Credit card companies "just sort of wait for them to have a breach," she said. "There's just a lot of vagaries in how it's enforced." In fact, she said, several similar breaches have happened before and the public wasn't told.

Card processors and merchants must certify through third-party monitors that they meet the banks' and credit card associations' security standards. But complying can be a long and costly process.

Consequently, several experts said they doubt that CardSystems, which annually processes some $15 billion in transactions for more than 105,000 small to mid-sized businesses, is alone among card processors in being vulnerable to hackers.

"It's quite possible that it could exist elsewhere," said Michael Petitti, a senior vice president at AmbironTrustWave, one of the companies that performs the industry's security certifications. CardSystems was not in his company's purview, he said.

The breach occurred after CardSystems inappropriately held onto card data for "research purposes" rather than deleting it. Forty million accounts were exposed, and records pertaining to at least 200,000 are known to have been stolen, primarily MasterCard and Visa cards.

CardSystems did not return repeated calls seeking comment Monday, but MasterCard spokeswoman Sharon Gamsin said the records — names, banks and account numbers — should have been deleted because "you don't want that information sitting around."

"Merchants aren't allowed to keep it, and these processors aren't allowed to keep it," she said.

The FBI is investigating "several different angles," bureau spokeswoman Deb McCarley said Monday. She would not provide details.

MORE FROM TECHNOLOGY & SCIENCE

Technology & Science Section Front

Hubble telescope spots most distant galaxies   Cheating? Watch that e-trail Surprise! Merchants say Web fraud is down Cosmic Log: From the desert to space Fake sites trick search engines to rank higher   'Avatar: The Video Game' crashes and burns Petunias and potatoes may be carnivorous MySpace buys imeem music site iPhone app lets you bird-watch on the go Cosmic Log: SpaceShipTwo goes on show Technology & Science Section Front   Add Technology & Science headlines to your news reader: