WASHINGTON – A credit card processing company agreed to settle allegations that it failed to protect consumer data, resulting in millions of dollars in fraudulent purchases, the U.S. Federal Trade Commission said Thursday.
The proposed settlement requires the privately-owned company to adopt stricter security measures and have an independent audit every other year for the next 20 years.
CardSystems faces potential liability for millions of dollars in private lawsuits for losses, the FTC said.
"CardSystems kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk," said Deborah Majoras, FTC chairman. "Any company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner."
CardSystems authorized and approved credit and debit card purchases for merchants. Last year, it processed about 210 million card purchases, totaling more than $15 billion, for more than 119,000 small and mid-size merchants.
In processing transactions, CardSystems collected card numbers, expiration dates, and other data which was stored on its computer network.
The FTC accused CardSystems of failing to have enough security measures in place to keep hackers out of its computer network and to limit access between computers on its network and between its computers and the Internet. Among other things, the company did not do enough to detect or investigate unauthorized access to personal information, the agency said.
The lack of security "compromised millions of credit and debit cards, and led to millions of dollars in fraudulent purchases," the FTC said.
The FTC said it would publish the proposed settlement in the Federal Register, then accept public comments for 30 days before finalizing the settlement.
Pay By Touch acquired CardSystems in December.