Rap Sheet

Computerworld |

The Official Responses

Here are official responses that three of the companies involved sent to Computerworld regarding the theft of 8 million credit card numbers from credit card processor Data Processors International Inc. (DPI):

DPI's statement, dated Feb. 20, 2003

"Regarding your recent inquiry, Data Processors International (DPI), a card transaction processing firm based in Omaha, confirms that information targeted by the system intruder did not include any personal information that could relate a card number to an individual.

"While it remains unclear if any useable data was compromised at all, we confirm that personal information including account holder name, address, telephone number and Social Security number were not obtained through the attempted intrusion.

"Appropriate card association and law enforcement agencies continue their investigation with our full cooperation. Any consumer wishing to confirm the status of their account should immediately contact their card issuing organizations."

Statement from Visa U.S.A. Inc. in Foster City, Calif., received Feb. 20, 2003

"Visa U.S.A. has been informed by a third-party payment card processor about an unauthorized intrusion into its computer system. On the rare occasions when there is a potential that account information may be compromised, Visa quickly moves to protect the security of cardholders. It is important for Visa cardholders to know they are fully protected by Visa's $0 liability policy, which means they pay nothing in the event of unauthorized purchases.

"Visa's fraud team immediately notified all affected card-issuing financial institutions and is working with the third-party payment card processor to protect against the threat of a future intrusion. Visa will continue to monitor the situation and the potentially compromised accounts.

"Although fraud is at an all-time low, Visa helps to guard against it with our advance neural-network fraud-detection systems and antifraud protections such as $0 liability."

Statement from MasterCard International Inc. in Purchase, N.Y., received Feb. 21, 2003

"In early February, MasterCard International was informed of an unauthorized intrusion of a database of a third-party merchant processor in the U.S.

"The database contained approximately 2.2 million MasterCard account numbers. Investigations are currently under way.

"MasterCard believes that it has identified all of the MasterCard account numbers and has notified the appropriate issuing members.

"MasterCard's rules require that merchants securely encrypt cardholder information, including card numbers. In addition, MasterCard has published and made available to its members 'Best Practices' for electronic-commerce merchants in order to guide them in securing this information.

"MasterCard continues to protect valuable online data and supports multiple security options, ranging from basic security measures to the most robust.

"In 2002, MasterCard launched Site Data Protection Service (SDP), a comprehensive set of global e-business security services that proactively protects online merchants from hacker intrusions. MasterCard also recently announced MasterCard SecureCode, which secures online credit and debit payments between cardholders, online merchants and financial institutions by addressing the issue of cardholder authentication.

"MasterCard has been an industry leader in the development of security features such as the use of three-dimensional holograms, the first tamper-evident signature panel and card validation codes. Building on this history of innovations, MasterCard continues to lead in its research and in piloting and deploying new security initiatives that strengthen fraud prevention even as criminals who perpetrate fraud develop new schemes and technologies."

Looming Legislation

California is ahead of the curve in addressing identity theft. A proposed law, SB 1386, would require notification of consumers when card information is compromised. A summary of the bill says, "This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

What's Wrong With This Picture?

Gartner Inc. analysts Avivah Litan and John Pescatore outline what's wrong with the industry's response and the need for changes in a paper titled "Stolen Credit Card Case Should Prompt Card Companies to Act." View it at the Gartner.com Web site.

Links to Other Resources

  • Read about the Verified by Visa program.
  • Learn more about MasterCard's SecureCode program in this press release (download PDF) and this "Tech Talk" bulletin.
  • Visit DPI's Web site, which contains no mention of the break-in.
  • To learn more about what can be done to prevent identity theft, read "Preventing Identity Theft: Industry Practices Are the Key," which contains recommendations from the U.S. Department of the Treasury's National Summit on Identity Theft.
  • And check out this consumer's guide to avoiding identity theft.

What do you think? Join our network security discussion forum.

Robert L. Mitchell writes on a wide range of topics, including analytics, emerging technologies, green IT and data centers.

Copyright © 2003 IDG Communications, Inc.