CardSystems Solutions, the credit card processing company victimized by hackers who potentially gained access to some 40 million credit card accounts, has installed new software to boost security, a software vendor said Tuesday.
eEye Digital Security, which makes the SecureIIS software used to prevent intruders from breaking into company web sites, said it sold the package to CardSystems on June 10 and it was deployed three days later. That means Atlanta-based CardSystems’ purchase came about three weeks after the company security incident occurred on May 22. News of the problem broke last week.
A CardSystems spokesman said Tuesday the company executives would not speak to the media until they had finished investigating the incident.
But a statement on the company’s web site said: “CardSystems is completing the installation of enhanced/additional security procedures recommended by the security assessor involved in the investigation.”
eEye’s SecureIIS product is designed to protect a company’s web pages from attack. And it’s unlikely that CardSystems stored credit card information on its main web server.
But CardSystems hasn’t released much information on the technical nature of the security breach. eEye’s Marc Maiffret, the firm’s head of research, believes one of the company’s databases may have been compromised by a skilled attacker.
“For 95 percent of all these commerce-related break-ins, it comes down to being the product of web-based attacks on their back-end servers,” said Mr. Maiffret. “It’s a custom attack where someone sits down and rigorously probes the system. It’s probably not an automated attack.”
What’s also uncertain is whether CardSystems had the most up-to-date security measures in place. Software programs can be very costly, said Mr. Maiffret.
“IT [information technology] people usually know what they want to buy, but oftentimes they don’t have the budget,” Mr. Maiffret said.
Financial companies often rely on consultants to design custom applications for dealing with transaction data, rather than buying a product from a big consumer software company such as Microsoft. This means systems are seldom patched to protect against new types of security threats.
CardSystems processes credit card transactions for biggies like Visa and MasterCard. Typically, credit card companies are expected to discard customer data as soon as transactions are completed. But the company held on to customer data for an undisclosed period of time, in violation of Visa's stated procedures.
"We should not have been doing that," John M. Perry, CardSystems CEO, told The New York Times.
The New York TimesAliso Viejo, California-based eEye has raised $32 million in four rounds of venture investment from Bessemer Venture Partners and Insight Venture Partners since it was founded in 1998.