Security

These companies—led by CardSystems—suffered some of 2005's worst data-security breaches. Learn from their examples, so you won't show up on next year's list.

The big question: What can entice companies to beef up security? Bad press and stock declines usually do the trick, but peer pressure such as the Hall of Shame can be an even more effective motivator in The Year of Living Dangerously.

it would have taken a screw-up of truly massive proportions to keep CardSystems out of the Hall of Shame. Forty million credit-card numbers were at risk after an unauthorized individual infiltrated the company's network. CardSystems discovered the breach on May 22 and called the FBI the next day.

Details about the incident are still sketchy. MasterCard, Visa, American Express and CardSystems didn't initially comment on the incident, but CardSystems later confirmed that Visa planned to cut ties to the company as of Oct. 31.

MasterCard and Visa noted soon after the breach that CardSystems violated their security protocols by storing account numbers after processing transactions. Why was CardSystems allowed to operate if it wasn't in compliance with card issuer security standards? Apparently, CardSystems met Visa's security standards in June 2004, but subsequently began holding more data than it could protect.

After it was hacked, CardSystems said it installed "enhanced/additional security procedures" such as encrypting information transmitted and stored on its network and installing a series of firewalls to prevent data leaks.

On Sept. 1, CardSystems announced that it had gotten a clean bill of health from AmbironTrustWave, an independent data security assessment firm. CardSystems CEO John Perry said in a statement that Ambiron "audited the security of our network, the steps that our 110 employees take to safeguard cardholder data, our vulnerability management program, our information security policy and our ability to regularly monitor and test our network."

A Fight for Survival

Following the data breach, CardSystems had to deal with two issues: the specter of Visa abandoning the firm, and its future as an independent company. On Sept, 23, CyberSource Corp., an electronic payment processing company based in Mountain View, Calif., signed a letter of intent to acquire CardSystems for an undisclosed amount.

CyberSource intended to buy CardSystems' payment processing platform and connections to banks and credit-card networks that process transactions for 120,000 merchants. That deal, however, fell apart on Oct. 15 over "the inability of the parties to reach agreement in a timely manner," according to a statement from CyberSource.

Instead, Pay By Touch, a San Francisco company whose payment processing systems use fingerprints to authorize credit and debit transactions, bought CardSystems on Oct. 15. Terms of the deal weren't disclosed.

Pay By Touch CEO John Rogers says the company plans to add CardSystems to its existing merchant processing services business. Pay By Touch will also look to sell its products to CardSystems' customers.

The Pay By Touch deal bought CardSystems more time to get its house in order and convince customers to stay. For instance, Pay By Touch says Visa has extended its Oct. 31 exit date to Jan. 31 to allow the deal to close.