MasterCard Lays Down the Law


Posted by Ed on Jun 22, 2005 in Analysis | Comments Off

In a bold move, MasterCard lays down the law on CardSystems. And by “lay down the law”, I mean they upped the ante from recommending they comply with security procedures to “putting them on notice” to comply. Um…. Is it me, or does that sound like the same thing to you? If the only ramifications from MasterCard is in the vein of finger wagging, it shouldn’t be surprising that CardSystems would fail to take the regulations seriously. I’m concerned – this foolishness at CardSystems was the biggest loss of financial account data ever and MasterCard’s reaction was to “put them on notice”? What do you have to do before they take any stronger action?

In other news, CardSystems says not to worry about it, ’cause they’ve got everything under control over there. To paraphrase Bill Reeves (Chief Marketing Guru for CardSystems) in his “remediation” statment: “it’s totally handled. Like, we fixed the problem already, and now our security is all good. And, like, we spent a whole month totally hunting down all the problems but it was worth it ’cause now they’re all totally fixed. Nothing more to see here, thanks.” Thanks, Bill. Personally, when I need a security opinion, the first person I look to is in the marketing department.

Give me a break, CardSystems saying it’s “remediated” is a joke – take a look through Bill’s marketing pablum and see if you can find the actual steps they took. Here are the steps as reported by Bill: 1) contact the FBI, 2) hire a 3rd party to “validate systems security”, 3) kick off an assessment initiative. Read the news stories, Bill – the FBI contacted YOU – so take #1 off the list. #3 is something you should be doing already, but frankly it scares the crap out of me that you didn’t have an assessment team before this crap hit the fan. And #2, while a decent marketing tool, really doesn’t do much for the underlying problem – which is the fact that your business people are running fast and free without security or regulatory guidance.

So, where is CardSystems now? More or less in the same place they were before, except now marketing is on board telling the public not to worry about it. Want my opinion? First, assign somebody the role of knowing what the regulations are and involving them in the business process decision making process; make sure they sign off that they’ve reviewed every new business process. Assign them a staff to work with them. That should help with the “we didn’t know it was against the rules” crap. Second, have a security team (just like 98% of the rest of financial services) and give them the charter to review the current business processes and applications – since apparently having a team of people “assess” the security of their business processes is a new concept at CardSystems, look to outside guidance like the FS/ISAC for help on how to set up a security organization.

Disturbing.

Comments are closed.