At least 134 of the about 12,000 "exposed" Hong Kong credit cardholders' accounts have been used for fraudulent transactions, incurring a combined loss of up to HK$740,000.

Last month's security breach at a US-based credit card processing company put tens of millions of accounts across the globe at the risk of a fraud, the Hong Kong Monetary Authority (HKMA) said yesterday. And among them were thousands of Hongkongers who had used their credit cards in the US or made online transactions with US-based companies in the past few months.

HKMA acting deputy chief executive Raymond Li told the Legislative Council (LegCo) Panel on Financial Services yesterday.

The fraud came to limelight when the Atlantic-based credit card processing company, CardSystems Solutions, revealed that hackers had accessed its database, putting as many as 40 million credit card accounts worldwide at risk.

Hongkong and Shanghai Banking Corp, Standard Chartered Bank, Hang Seng Bank, Bank of East Asia, Bank of China (Hong Kong) and DBS Bank said some of their Hong Kong credit cardholders might be "affected".

Though Hong Kong has 9.39 million credit cards in circulation, Li allayed fears of a US-like case occurring in the territory. "Although we cannot say that the local credit card processing system is 100 per cent perfect and safe, the risk of occurrence of a similar incident in Hong Kong is extremely low," Li said.

"This is because HKMA is empowered and strongly dedicated to carrying out regular on-site examinations to review and ensure the IT managements and risk controls of (third-party service providers) in compliance with our standards," he said. Banks needed to seek approvals from HKMA before entering into outsourcing contracts with credit card processing companies.

After the incident, HKMA requested local service providers to re-assess the effectiveness of controls over customer data security, retention and confidentiality.

The authority also asked credit card companies, the consumer credit card bureau and debit card operators to assess the security controls over internal and outsourced processing of consumer and transaction data.

Local banks have been able to reach the majority of the defrauded customers and arranged for replacement of their cards, Li said. And they will continue to liaise with the rest.

While defrauded customers don't need to bear the liability for the direct financial loss, Li said cardholders should check their bank statements to look for suspicious transactions.

At the LegCo panel, Danny Cheung, vice-president and China business manager of MasterCard International, said CardSystems had violated his company's security regulations to acquire and store magnetic stripe data and card validation codes.

To step up security measures, Cheung said MasterCard was working on a programme that would alert the regulatory authorities, including HKMA, of a security breach or potential fraud situation in the markets across the region.

Visa International manager for Hong Kong and Macao Prudence Chan said the company had established a global standard EMV (Europay, MasterCard and Visa) for chip-based debit and credit transactions with Europay and MasterCard to review its data security and protection practice.

"Visa is seeking to ensure that the majority of payment infrastructure will be put in place in most countries and regions by 2008, offering the best long-term solution to the problem of counterfeit fraud," Chan said.

As of March, Visa members had been issued around 220,000 EMV chip cards and local major banks are either upgrading their systems for EMV chip migration or are in the planning stage to do so.

Visa confirmed that about 9,112 credit card accounts in Hong Kong were "affected" but only 8 per cent of them, that is, 700 cards, contained sensitive information.

(China Daily HK Edition July 5, 2005)