BOSTON – Visa USA Inc. (search) and American Express Co. (AXP) are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data security.
CardSystems Solutions Inc. (search) "has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," said Rosetta Jones, a spokeswoman for Foster City, Calif.-based Visa.
She said banks that issue Visa cards would have until Oct. 31 to replace CardSystems with one of the hundreds of other payment-processing companies in the United States.
American Express also notified CardSystems it would sever their relationship as of October, spokeswoman Judy Tenzer said. CardSystems was a small part of American Express' network, handling less than 0.5 percent of its transactions, she said.
Atlanta-based CardSystems released a statement saying it was "disappointed and very surprised," and hoped Visa would reconsider. The company did not address American Express' decision.
CardSystems told the FBI it learned of a potential breach of its computer network on May 22, and the break-in was publicly disclosed last month.
However, it appears the breach happened much earlier. Visa's Jones said Australian banks had notified the credit card company about fraud in January that at the time seemed isolated. But later investigation revealed that the security hole at CardSystems was responsible, she said.
While information relating to 40 million accounts was laid bare in the break-in, at least 200,000 were said to have been stolen, primarily MasterCard and Visa cards. The FBI has not disclosed details of the investigation.
Visa said that while CardSystems has taken some remediating actions since the breach was disclosed, those could not overcome the fact that it was inappropriately holding on to account information — purportedly for "research purposes" — when the breach occurred, in violation of Visa's security rules.
MasterCard International Inc. (search) is taking a different tack with CardSystems. The credit card company expects CardSystems to develop a plan for improving its security by Aug. 31, "and as of today, we are not aware of any deficiencies in its systems that are incapable of being remediated," spokeswoman Sharon Gamsin said.
"However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard members will be at risk," she said.
Jennifer Born, a spokeswoman for Discover Financial Services Inc., which also has a relationship with CardSystems, said the Riverwoods, Ill.-based company was "doing our due diligence and will make our decision once that process is completed."
Privately held CardSystems, headed by a former Visa executive, has 115 employees in Atlanta and Tucson, Ariz., where its system was hacked. Backed by such investors as Principal Financial Group Inc., CardSystems has been in business for more than 15 years and processes more than $15 billion in payments annually.