Joe Christensen walked in the doors at CardSystems Solutions last July, charged with establishing a program to help the beleaguered payment processing company earn compliance with the Payment Card Industry (PCI) security standard.
Talk about a tall order.
Not only had CardSystems reported two months prior that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more, but Visa and MasterCard threatened to terminate it as a transactions processor. The death watch was on, something CEO John Perry confirmed before Congress where he said his company faced "imminent extinction" because of Visa and MasterCard's action.
Stress, fear and uncertainty were palpable inside CardSystem's Atlanta offices. Somehow, Christensen, the new vice president of security and compliance, didn't high-tail it out the door.
CardSystems, if not doomed, was at least ripe for an acquisition. But that would not happen without information security and PCI-compliant processes in order. In fact, to facilitate an acquisition, Visa and MasterCard twice extended compliance deadlines, first to Oct. 31, 2005, then Jan. 31.
Fortunately, Christensen says, a compliance effort was well under way. CardSystems had hired AmbironTrustWave to perform a forensic analysis and consult on compliance; there was a solid understanding of weaknesses and priorities. Christensen's first priorities were to understand where card data was kept and how it was accessed, and to ensure that the hack could not be replicated.
In September 2004, hackers dropped a malicious script on the CardSystems application platform, injecting it via the Web application that customers use to access account information. The script, programmed to run every four days, extracted records, zipped them and exported them to an FTP site. Its function was to search servers for only track data--the name, credit card number, expiration date and CVV code contained on the magnetic strip on the back of a credit card. Perry told Congress the only time data was successfully exported was May 22. The exported data--records of failed transactions that were kept for research purposes--was in readable form, a PCI violation.
For too long, Christensen says, CardSystems concentrated on delivering its core business to market--routing transaction authorization requests from POS terminals to a payment card network, then facilitating payments to merchants--without enough regard for the way data was kept safe. Security was a function of IT, and the dearth of dedicated security personnel was especially glaring post-breach. "Awareness of the things you have to do to maintain systems securely was not at a level it needed to be," Christensen says. "[CardSystems didn't have] a culture of security, which isn't unusual."
That drastically changed in the ensuing months. Backed by senior management, Christensen and his team fully encrypted the company's backend systems--one of the few transaction processors to do so, he says. They also put in place procedures where all coding was tested against the Open Web Application Security Project's top 10 critical Web application vulnerabilities before being put into production. Monthly vulnerability scanning and centralized patching systems were ramped up. Internal access controls that severely restrict who can get at customer accounts were also set in stone. Laptop security was addressed, and a consolidation security policy was adopted for future acquisition targets.
Going forward, Christensen plans to address a move from tape backup to remote encrypted digital-vault backups. He also wants to beef up employee awareness, with new-hire training, annual refresher courses, security awareness days and fresh policies on how to handle data, especially papers left in the open on desks and fax machines.
All of this helped make CardSystems PCI compliant (avoiding a Visa and MasterCard shutdown) and preserve value in its assets. This made the company attractive to PayByTouch, which agreed to acquire it in October 2005.
"What happened has completely changed the culture," Christensen says. "[PCI] is the bottom line to maintain; that's the floor, not the ceiling."
This was a lesson learned too late for old CardSystems.
This article originally appears in the April 2006 issue of Information Security magazine. After reading all of the profiles in this series on SearchSecurity.com, be sure to vote in our Quick Poll for the person you think is most worthy of being named Ultimate Survivor.
Dig Deeper on Information Security Incident Response-Information
IT services company Savvis is being sued by US bank Merrick following a data breach in 2006 at the bank's payment processor, which had previously been...