In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases.
The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. (the results are good for Pay by Touch in terms of potential clients knowing their data is safer with PBT than non-audited processors, thus giving them an industry advantage)
The proposed settlement requires CardSystems and Pay By Touch to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms that its security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions.
This case is similar to prior FTC actions involving alleged failures to secure credit and debit card information. As in the prior cases, CardSystems faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach.
It should be noted that Pay by Touch is exempt from any liability that may, or may not have incurred, because the breach took place prior to their acquistion of CardSystems and because they acquired CardSystems assets, not the company itself.
The FTC said it would publish the proposed settlement in the Federal Register, then accept public comments for 30 days before finalizing the settlement.
Pay By Touch acquired CardSystems in December.
Copies of the complaint and consent agreement are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. (http://www.ftc.gov/opa/2006/02/cardsystems_r.htm)
The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. (the results are good for Pay by Touch in terms of potential clients knowing their data is safer with PBT than non-audited processors, thus giving them an industry advantage)
The proposed settlement requires CardSystems and Pay By Touch to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms that its security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions.
This case is similar to prior FTC actions involving alleged failures to secure credit and debit card information. As in the prior cases, CardSystems faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach.
It should be noted that Pay by Touch is exempt from any liability that may, or may not have incurred, because the breach took place prior to their acquistion of CardSystems and because they acquired CardSystems assets, not the company itself.
The FTC said it would publish the proposed settlement in the Federal Register, then accept public comments for 30 days before finalizing the settlement.
Pay By Touch acquired CardSystems in December.
Copies of the complaint and consent agreement are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. (http://www.ftc.gov/opa/2006/02/cardsystems_r.htm)