Visa USA is to stop CardSystems Solutions from managing its transactions because it is not satisfied with safety measures implemented by the Atlanta-based payments processor following a security breach that potentially exposed more than 40 million credit cards to fraud.
According to a New York Times report, Tim Murphy, Visa's SVP for operations, has sent a memorandum to several banks saying that CardSystems has not corrected the failure to provide proper data security for those accounts.
Visa says its decision to remove CardSystems came after a review and an independent investigation found that the payments processor had improperly stored customer data and did not have the proper controls in place.
CardSystems said in June that it has identified a potential security incident that occured on Sunday May 22nd, which it reported to the FBI the next day. But chief executive of CardSystems, John Perry, later told the New York Times that the company should not have been retaining the records that were breached.
Perry said the exposed data was being stored for "research purposes" to determine why some transactions had registered as unauthorised or uncompleted. This goes against data protection and storage rules established by MasterCard and Visa.
According to the latest NYT report, the memo says Visa has given at least 11 banks which hired CardSystems to handle the merchant transactions until the end of October to find another payment processor.
Until then CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee operations.
CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the US.
Within hours of Visa's decision, American Express also confirmed plans to sever ties with CardSystems beginning October.
MasterCard has previously said it is was giving CardSystems "a limited amount of time to demonstrate compliance with MasterCard security requirements", although the firm did not disclose a specific timescale.