In re CardSystems Solutions, Inc., FTC Docket No. C-4168, Complaint (Sept. 8, 2006) (full-text).
Factual Background Edit
According to the complaint, CSS provides merchants with products and services used in “authorized processing” of credit and debit card purchases from the banks that issue the cards. CSS uses the Internet and web-based software applications to provide information to client merchants about authorizations it has performed for them.
CSS collects information from a customer’s credit or debit card magnetic stripe, including, but not limited to, the customer name, card number and expiration date, a security code used to verify electronically that the card is genuine, and certain other information; formats and transmits the information to a computer network operated by or for a bank association (such as Visa or MasterCard) or another entity (such as American Express), which then transmits it to the issuing bank. The issuing bank receives the request, approves or declines the purchase, and transmits its response to the merchant over the same computer networks used to process the request. The response includes the personal information that was included in the authorization request the issuing bank received.
According to the complaint, DSS “engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information stored on its computer network,” including:
- Created unnecessary risks to the customers’ information by storing it in a vulnerable format for up to 30 days;
- Did not adequately assess the vulnerability of its web application and computer network to commonly known or reasonably foreseeable attacks, including but not limited to “Structured Query Language” (or “SQL”) injection attacks;
- Did not implement simple, low-cost, and readily available defenses to such attacks;
- Failed to use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;
- Did not use readily available security measures to limit access between computers on its network and between such computers and the Internet; and
- Failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.
According to the complaint, a hacker exploited these “failures” and installed software on CSS’s computer network that allowed him to collect and transmit magnetic stripe data stored on CSS’s network to computers located outside the network. This information was then used to manufacture counterfeit cards that were used to make fraudulent purchases.
The question of whether any of these acts constituted “unfair acts or practices” under Section 5 was never adjudicated, since CSS immediately agreed to settle.
Consent and Order Edit
Under the Order, which lasts for 20 years, CSS must:
- Designate “an employee or employees to coordinate and be accountable for the information security program”;
- Identify “material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information,” and assess “the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures.”
- “[D]esign and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.”
- “[E]valuation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by [this order], any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.”
CSS must also obtain a biennial assessment and report from a qualified, objective, independent, certified, third-party professional concerning DSW’s compliance with the Order.