Lessons learned from the MasterCard/Visa heist

How could MasterCard and Visa allow 40 million customer credit card numbers to be sucked out of their systems and into the hands of criminals? Last week I called them both to find out.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell

In response, Visa sent me a prepared statement. One sentence from the statement, in particular, is worth quoting: “We are actively monitoring the situation on a real-time basis using our state-of-the-art fraud-fighting technologies.”

Other than expecting to see VisaMan rip open his shirt to reveal his true identity as a state-of-the-art fraud-fighting superhero, something is wrong with this. Visa’s statement seems more concerned with covering the company’s collective behinds than facing the real issues.

At least, that’s what Avivah Litan, vice president and research director at Gartner, says. And she’s not alone. John Pescatore, a Gartner colleague and one of the most widely respected security analysts in the country, told me that the payment card industry has security rules in place but hasn’t been pushing hard enough and fast enough to enforce them.

CardSystems, the third-party service provider that let Visa/MasterCard down, made a simple and humble apology, explaining that it had put information it was not supposed to keep into the wrong file. A more meaningless explanation I have rarely heard.

Improper filing or otherwise, someone unauthorized was still able to get behind CardSystems’ firewall, insert code into the system that found the file, and download the data to his or her own system. If nothing else, I would like to ask that person how big a hard drive you need to hold 40 million records.

Fearful that additional layers of security would slow down credit card transactions and scare off customers, the industry has been dragging its feet, but Pescatore says that attitude has backfired. “Consumer confidence is now dropping faster than more security would ever have done,” he says.

After speaking to four security analysts, surprisingly I came away with the same answer from each.

Frank Smith, vice president of the technology strategy group at Capgemini, said, “They don’t supply due diligence to the whole system.” Gartner’s Litan said, “They have everything in place; they just don’t enforce it.” Paul Stamp, security analyst at Forrester Research, said “The processes were not properly enforced.” Pescatore said that the standards “have been pure eyewash. No enforcement.”

Such a security breach is usually brought about by a combination of factors, according to Stamp. There could be a breakdown in the process, or the process isn’t being enforced. A human could be doing something he or she shouldn’t — for instance, an authorized person performing a task they were not authorized to do. Finally, there could be a technical system problem.

The fact that CardSystems, an authorized third-party service provider, was trusted with customer information and did something that was not authorized leads me to ask why the auditors from MasterCard and Visa didn’t know that. Maybe it’s time to re-examine the whole system.

Beyond the current scandal is the reality that enterprises rely more and more on outsourcing providers and business partners. Your company is going to have to trust that someone beyond your own four walls is as diligent as you are.

That’s a tall order. If we’re to learn anything from this latest example, it’s that we need a little less trust and a lot more due diligence to protect our companies’ -- and our customers’ -- information.