How could MasterCard and Visa allow 40 million customer credit card numbers to be sucked out of their systems and into the hands of criminals? This week I called them both to find out.
In response, Visa sent me a prepared statement. One sentence from the statement, in particular, is worth quoting: "We are actively monitoring the situation on a real-time basis using our state-of-the-art fraud-fighting technologies."
Other than expecting to see VisaMan rip open his shirt to reveal his true identity as a state-of-the-art fraud-fighting superhero, something is wrong with this. Visa's statement seems more concerned with covering the company's collective behinds than facing the real issues.
At least, that's what Avivah Litan, vice president and research director at Gartner, says. And she's not alone. John Pescatore, a Gartner colleague and one of the most widely respected security analysts in the country, told me that the payment card industry has security rules in place but hasn't been pushing hard enough and fast enough to enforce them.
CardSystems, the third-party service provider that let Visa and MasterCard down, made a simple and humble apology, explaining that it had put information it was not supposed to keep into the wrong file. A more meaningless explanation I have rarely heard.
Improper filing or otherwise, someone unauthorized was still able to get behind CardSystems' firewall, insert code into the system that found the file, and download the data to his or her own system. If nothing else, I would like to ask that person how big a hard drive you need to hold 40 million records.
Fearful that additional layers of security would slow down credit card transactions and scare off customers, the industry has been dragging its feet, but Pescatore says that attitude has backfired. "Consumer confidence is now dropping faster than more security would ever have caused it to do," he says.
After speaking to four security analysts, surprisingly, I came away with the same answer from each.
Beyond the current scandal is the reality that enterprises rely more and more on outsourcing providers and business partners. Your company is going to have to trust that the someone beyond your own four walls is as diligent as you are.
That's a tall order. If we're to learn anything from this latest example, it's that we need a little less trust and a lot more due diligence to protect our companies' -- and our customers' -- information.