The theft of a personal computer with several hundred thousand credit card accounts stored in its memory has led MasterCard to suggest the security procedures of rival Visa are inadequate.
The computer, stolen from Visa's San Mateo, Calif., data processing center early this month, contained information transmitted from point of sale machines for 314,000 active credit card accounts - from Visa, MasterCard, American Express, Discover, and Citicorp's Diners Club.
Visa has offered to pay $20 per account, potentially $6.3 million, to replace the cards.
Although the five brands reacted quickly to the crime, and there has been no loss due to fraud, the incident shows how account information is vulnerable to fraud and theft from many directions.
Michael Stenger, special agent, financial crimes division for the U.S. Secret Service, said criminals will go after account information wherever they can find it.
"The computer is seen as a facilitator and a storage point," he said. "The main thing is (the thieves) need the information."
Account information from the different credit card networks is commonly routed through MasterCard and Visa processing systems from point of sale machines, and sent to the appropriate party.
"The question is, why was the information downloaded?" asked MasterCard spokesman Sean Healy. "We don't do that type of downloading."
He said MasterCard stores point of sale information on cartridges in high security locations in its St. Louis processing facility, where it would be "virtually impossible to replicate" the Visa theft.
However, David Melancon, a Visa International spokesman, contended, "Any card company that processes transactions" downloads account information.
Jerome Svigals, a smart-card and security consultant in Redwood City, Calif., said Visa would have downloaded this information only if it was working in the capacity of Vital Processing Services, its merchant processing arm.
He added the computer probably contained magnetic stripe information, such as account numbers, expiration dates, and encrypted verification codes.
"There is little or no protection against this problem," he said.
Visa said it may have been an inside job, although no one has been arrested. The thief or thieves were probably more interested in the computer hardware than the account information, Visa said.
"We have had rigorous plant security, but obviously not secure enough," Mr. Melancon added.
Visa, which said the vast majority of affected accounts were its own, said it immediately contacted all the parties involved and recommended they get in touch with cardholders.
Mr. Healy said the stolen computer contained information on accounts at 500 of MasterCard's member banks.
"We are recommending they close the affected accounts and issue new cards," Mr. Healy said. "We are monitoring authorizations very closely and have issued a worldwide security alert."
American Express, on the other hand, has chosen to monitor its own accounts without informing cardholders. It would not specify how many of its accounts were involved.
"The accounts are being monitored for fraud, but we have not found any," said Gail Wasserman, an American Express spokeswoman.
Diners Club and Dean Witter, Discover & Co. said they were taking measures to protect their cardholders.