Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data security.
CardSystems Solutions Inc. “has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts,” said Rosetta Jones, a vice president at Foster City, Calif.-based Visa, in a statement.
She said banks that issue Visa cards would have until Oct. 31 to replace CardSystems with one of the hundreds of other payment-processing companies in the U.S.
American Express also notified CardSystems it would sever their relationship as of October, spokeswoman Judy Tenzer said. CardSystems was a small part of American Express’ network, handling less than 0.5 percent of its transactions, she said.
Atlanta-based CardSystems released a statement saying it was “disappointed and very surprised,” and hoped Visa would reconsider. The company did not address American Express’ decision.
CardSystems told the FBI it learned of a potential breach of its computer network on May 22, and the break-in was publicly disclosed last month.
However, it appears the breach happened much earlier. Visa’s Jones said Australian banks had notified the credit card company about fraud in January that at the time seemed isolated. But later investigation revealed that the security hole at CardSystems was responsible, she said.
While information relating to 40 million accounts was laid bare in the break-in, credit card companies have said at least 200,000 were known to have been stolen, primarily MasterCard and Visa cards.
Visa said that while CardSystems has taken some remediating actions since the breach was disclosed, those could not overcome the fact that it was inappropriately holding on to account information — purportedly for “research purposes” — when the breach occurred, in violation of Visa’s security rules.
MasterCard International Inc. is taking a different tack with CardSystems. The credit card company expects CardSystems to develop a plan for improving its security by Aug. 31, “and as of today, we are not aware of any deficiencies in its systems that are incapable of being remediated,” spokeswoman Sharon Gamsin said.
“However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard members will be at risk,” she said.
A spokeswoman for Discover Financial Services Inc., which also has a relationship with CardSystems, declined to comment.
Privately held CardSystems, headed by a former Visa executive, has 115 employees in Atlanta and Tucson, Ariz., where its system was hacked. Backed by such investors as Principal Financial Group Inc., CardSystems has been in business for more than 15 years and processes more than $15 billion in payments annually.