Citation Edit

In re CardSystems Solutions, Inc., FTC Docket No. C-4168, Complaint (Sept. 8, 2006) (full-text).

Factual Background Edit

According to the complaint,[1] CSS provides merchants with products and services used in “authorized processing” of credit and debit card purchases from the banks that issue the cards. CSS uses the Internet and web-based software applications to provide information to client merchants about authorizations it has performed for them.

CSS collects information from a customer’s credit or debit card magnetic stripe, including, but not limited to, the customer name, card number and expiration date, a security code used to verify electronically that the card is genuine, and certain other information; formats and transmits the information to a computer network operated by or for a bank association (such as Visa or MasterCard) or another entity (such as American Express), which then transmits it to the issuing bank. The issuing bank receives the request, approves or declines the purchase, and transmits its response to the merchant over the same computer networks used to process the request. The response includes the personal information that was included in the authorization request the issuing bank received.

According to the complaint, DSS “engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information stored on its computer network,”[2] including:

  1. Created unnecessary risks to the customers’ information by storing it in a vulnerable format for up to 30 days;
  2. Did not adequately assess the vulnerability of its web application and computer network to commonly known or reasonably foreseeable attacks, including but not limited to “Structured Query Language” (or “SQL”) injection attacks;
  3. Did not implement simple, low-cost, and readily available defenses to such attacks;
  4. Failed to use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;
  5. Did not use readily available security measures to limit access between computers on its network and between such computers and the Internet; and
  6. Failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.[3]

According to the complaint, a hacker exploited these “failures” and installed software on CSS’s computer network that allowed him to collect and transmit magnetic stripe data stored on CSS’s network to computers located outside the network.[4] This information was then used to manufacture counterfeit cards that were used to make fraudulent purchases.[5]

The question of whether any of these acts constituted “unfair acts or practices” under Section 5 was never adjudicated, since CSS immediately agreed to settle.

Consent and Order Edit

Under the Order, which lasts for 20 years, CSS must:

CSS must also obtain a biennial assessment and report from a qualified, objective, independent, certified, third-party professional concerning DSW’s compliance with the Order.

References Edit

  1. In re CardSystems Solutions, Inc., FTC Docket No. C-4168, Complaint (Sept. 8, 2006).(full-text)
  2. Id. ¶6.
  3. Id.
  4. Id. ¶7.
  5. Id. ¶8.
  6. In re CardSystems Solutions, Inc., FTC Docket No. C-4168, Decision and Order § I (Sept. 8, 2006).(full-text)

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.