MasterCard security breach may affect 40 MILLION cardholders

http://www.marketwatch.com/news/newsfinder/pulseone.asp?dateid=38520.7083127199-836905396&siteID=mktw&scid=0&doctype=806&

SAN FRANCISCO (MarketWatch) -- MasterCard International said late Friday that a security breach at a third-party payment processor has exposed more than 40 million cardholders to potential fraud. MasterCard said it discovered the breach at Tucson, Ariz.-based CardSystems Solutions Inc., which allowed an unauthorized individual to infiltrate the firm's network and access cardholder data. MasterCard has told its customer banks about specific card accounts that may have been compromised, so they can take the appropriate measures to protect their cardholders, the company added. Almost 14 million of the cards affected are MasterCard branded.

...very short newsblurb...

We got a nice love note from Citicorp, which holds our mortgage, this week, that said our financial information may have been breached because of a security lapse, so sorry. I kind of figured the credit card end of this would appear sooner or later.

Gives me a whole new reason to look forward to seeing the mailman now.

Know exactly how you feel. First it as Visa, now this.

business is on its way out!!!

This is REEEEE-DICULOUS. Absolutely r-i-d-i-c-u-l-o-u-s. I have a request that any yung'un been following these "breaches of security" from NEXIS/LEXIS/SAIC/CITI/ALPHABETSOUPWITHOUTENDAMEN who has better computer skills than yer old Tante (now THERE'S a hard one! :crazy:)
PLEASE POST ON THIS THREAD A LIST WITH LINKS OF DATA DECLARED "LOST" in the last 9 months. Can you spell "pattern of behaviour," boys and girls? I KNEW you could! Here's a harder one: "identity theft."

That's my question. How many incidents does that make now in the last few months? Waaaay too many.

Sorry suckin state of affairs either which way

They can make all my money go away. This is a very, very, very black op.

rather than new reporting of an old pattern. There are a number of relatively new laws that require reporting of breaches that companies were never required to report before.

California's bill "requires that an organization disclose any security breach of unencrypted personal information to the affected California residents. The actual breach does not need to occur in the state of California for the law to apply. As long as a company has customers in California they are required to notify them. Personal information is defined in the bill as the individual's first name and last name combined with one or more of the following portions of data when either the name or the data is not encrypted:

* Social Security Number
* Drivers license number or California ID number
* Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account"

http://www.guarded.net/solutions_reg_compliance_california.html

Doesn't mean it wasn't happening just as regularly before - just that companies could legally keep it secret. If this breach did not involve data belonging to California residents (or residents of other states that have passed copycat laws), I expect we would not have heard about it (or NEXIS/LEXIS/SAIC/CITI etc.)

(Note - the "sink in" time for the implications of this law have been relatively long because of the unusual aspect that it is the residence of the person whose data was lost that triggers whether it applies. Why would a company in New Jersey, without any physical location in California, even think to research California law for a breach that happened in its plant in Georgia, for example? It took at least a year for the breadth of the impact to really reach corporate consciousness - which is not too far off from the recent spate of publicly announced breaches.)

­ Feb. 15: Data collection firm ChoicePoint Inc. begins notifying
about 35,000 Californians that their personal information may have been compromised on ChoicePoint databases.


­ Feb. 16: ChoicePoint acknowledges that data on 110,000 Americans
outside of California may have been stolen as well.


­ Feb. 25: Bank of America Corp. announces that it had lost computer
tapes with personal information for 1.2 million credit cards used by
federal employees.


­ March 8: Shoe retailer DSW Inc. says the credit card numbers of more
than 100,000 customers may have been accessed illegally.


­ March 9: Information broker LexisNexis says identity thieves had
tapped into data on more than 30,000 people through one of its
databases.


­ April 12: LexisNexis announces that the number of people whose data
was compromised is closer to 310,000 than 30,000.


­ April 14: Personal data for more than 180,000 MasterCard holders are
reported stolen from Polo Ralph Lauren Corp.


­ April 18: DSW says as many as 1.4 million credit card numbers were
exposed, rather than the 100,000 estimated earlier.


­ June 6: Citigroup Inc. says computer tapes containing Social
Security numbers of 3.9 million customers were lost by United Parcel
Service Inc.


­ Friday: MasterCard International says a security flaw may have
exposed as many as 40 million credit card accounts to fraud.

Way way WAY too many incidences of this happening!!! :scared:

Who could possibly handle that kind of data dumping? :eyes:

take your pick, any and all.

Edit:Call it a preparation stage for National ID, to protect the consumers. It's a set-up. The cops want this, so the federalies are 'softening' the opposition.

www.zmetro.com/archives/000901.php

under guise of CAPPS II

"It began as one of the Bush administration's most ambitious homeland security efforts, a passenger screening program designed to use commercial records, terrorist watch lists and computer software to assess millions of travelers and target those who might pose a threat.
The system has cost almost $100 million. But it has not been turned on because it sparked protests from lawmakers and civil liberties advocates, who said it intruded too deeply into the lives of ordinary Americans. The Bush administration put off testing until after the election.

Now the choreographer of that program, a former intelligence official named Ben H. Bell III, is taking his ideas to a private company offshore, where he and his colleagues plan to use some of the same concepts, technology and contractors to assess people for risk, outside the reach of U.S. regulators, according to documents and interviews.

Bell's new employer, the Bahamas-based Global Information Group Ltd., intends to amass large databases of international records and analyze them in the coming years for corporations, government agencies and other information services. One of the first customers is information giant LexisNexis Group, one of the main contractors on the government system that was known until recently as the second generation of the Computer Assisted Passenger Pre-screening Program, or CAPPS II. The program is now known as Secure Flight."

Your financial and medical info will be Offshored into the waiting hands of Bell. However, as James Bamford points out in Body of Secrets, other countries intell and crime families can and will access that info too (p. 479 paperback re 'foreign databases').

The consumer is not liable for any bogus charges -- the banks are.

This is just a set up to freak people out so they can carry on with their national ID thing and screw the consumer further...I don't know how they'll do that but they will think of a way I'm sure!

I just don't know who or why.

Choice Point, U. of Calif at Berkeley, DOT records in Nevada, Master Card International... that's just off the top of my head.

This is a deliberate pattern. Our beloved country is stinking of corruption.

is in the process of linking all their online banking between different states and their merger with Fleet Bank.

Great timing. Wonderful news.

Can anyone list these companies AND the numbers of those whose information has been compromised???

We're talking at LEAST TENS OF MILLIONS. (Please pay no attention to the "outsourcing" of medical records... We're just focusing on FINANCIAL RECORDS in this thread.)

(and maybe debit cards)

I avoid all credit cards, those things are scary :tinfoilhat:

Problem is that you can't get certain services without using credit card.

is tied to MC. So you can't always get away from the underlying CC giant infrastructure. :-(

On edit: you CAN get away from it, but it is a Class A hassle when you're in the middle of a lot of financial activity and can't switch your account without causing trouble.

got rid of them 3 years ago and I never want one again.

I knew a security breach would hit MCNB sooner or later.

An unauthorized individual? Does he work for the bush administration?

I just paid off my latest statement. Hmmm ... time to think about letting that thing go.

FUCKING SICK.

Their system, their safeguards, their profits. Where the hell is their responsibility in our "ownership society"?!

Nobody's life should be destroyed because of their ineptitude.

But this is nothing; not compared to the future.

Mastercard has a zero percent liability clause. If your account is breached by a thief, you don't owe a penny. Federal law says if your account is robbed, you owe no more than $50.

Sounds to me like plenty of accountability.

I've been a victim, and I think we were out a whole whopping $10 to file the report and have it notarized. $10 is not nothing, but it is not life-destroying either.

Hysteria does not serve anyone's purpose.

Okay, I stand corrected re: Mastercard. That's good to know.

"Almost 14 million of the cards affected are MasterCard branded." What about the other 26 million?

An article I read this evening mentioned American Express being involved in this security breach.

the breach actually occured at a third party processor in Tucson. Yes, they process for Visa and AMEX also.

My Bank of American CC and my check card are both Visa.

operations but I can't determine if the company outsources off-shore or not. Wouldn't surprise me ....

Key Facts & Figures
Offices in Atlanta, Georgia and Tucson, Arizona
In operation for more than 15 years
Processes transactions for over 105,000 small to mid-sized businesses
Processes more than $15 billion in Visa, MasterCard, American Express, Discover, on-line debit and EBT transactions annually


http://www.cardsystems.com/about.html

Urge Congress to enact strong identity theft protection for consumers
http://www.thepetitionsite.com/takeaction/483961807



Woops we're sorry doesn't cut it when people are getting ripped off.

:crazy:

ABC questioned why Mastercard failed to disclose the breach for several weeks since they apparently found out last month but only now revealed the problem.

I think there's some coded journalism getting bandied about..

The HMOs, banks and insurance monopolies are the ones breaking the law, or will be once the laws are reshaped soon. This journalistic and governmental charade of blaming everything on rogue hackers is a front. I think the corporate monopoly mafias are the ones the good people in the media are trying to expose.

40 million is a lot of people. What operating system was used in the creation and maintenance of the data containing the personal information? Windows? Microsoft products are inherently insecure by default and cannot be reverse engineered to be secure, much.

Open Source is the way to go. In other words: transparency in software and network operations. The FTC won't let it happen until Orson Swindle , that little old shillster and that white bitch resign as commissioners. They've all taken bribes from Microsoft and the insurance companies. I'll wager Sen. Gordon Smith has gotten bribed too ( he was chairing the hearing on Identity Theft yesterday ). As for the FBI -- In addition to pursuing criminal investigations like they're supposed to they've been known to partake in economic espionage if there's a high enough bidder who will buy the data, likely done through intermediaries ( and that's where the CIA or spook-sponsored enterprises may come in ).

A lot of this is speculation, however much of it is justified and may be validated in the future but not by me. I'm very suspicious of the FTC and any hearings on Identity Theft with this Congress.

Hey maybe we should open a new forum... "Friday Night News Dumps"

as well as other progressives.

After the bankruptcy bill I closed ALL my cards - including 2 with MBNA. I would hope that other progressives did the same to send a message to them.

isn't it interesting that the amendment to protect victims of identity theft was defeated. Just a coincidence, of course.

Don't these companies now offer identity theft insurance?

...


We need a national credit revolt. SIMPLY. STOP. PAYING.

ALL their customers. Someone needs to find out if they keep a master member list, get it somehow, and send out the word that on xxx date, all customers are to stop paying, for good, in protest.

Starve them of income, bankrupt them, and shut them down forever. We need to reboot this system, starting everyone off from scratch, before its corruption chokes us all.

After they're gone, place a six month moratorium upon the creation of new accounts. During this time, have a major public education campaign regarding responsible credit, then after that time period, restart the credit industry with extreme limits. People may posses two cards, each with a limit representing a percentage of their income. Single purchases exceeding that limit would be allowed for necessary purchases only- repairs for the one car a person owns, or dental work, or any number of other large but required financial obligations.

Not for milk and cookies over and over, nor for any other elective purpose, unless one can prove a monthly balance payment. Three of those months in a row, and your limit rises, again, based on one's income. Three more, and it rises again. And so on.

Or something like that. I'm not saying that's even a good system, but it does address credit limits exceeding one's own income. It's one way to address credit card abuse on the part of both the lender and the customer.

We need something better than the credit system we have, one that makes it a bad idea for both the lender and the customer for a customer's debt to get out of hand. We need to address credit card companies' predilection to offer large credit limits to high-risk persons. We need to address credit limits that themselves outpace the income of the customer.

Lots of problems with this system, and security is only one of them.

"During this time, have a major public education campaign regarding responsible credit"

Contrary to what MBNA will tell you MOST credit problems especially those leading to bankruptcy are the result of unexpected bad situations (job loss, high medical bills, etc.) not "responsible credit" issues.

I'm thinking more about the predatory lending practices that allow CC companies to offer no-intrest "introductory offers" to people already in bad straits, on fixed incomes, whatever. I know people whose credit is completely shot via a messy divorce, for example, which left them holding the bag for their spouses' excesses, and they're getting CC offers, and from not onoe lender, but several, or the tables they set up on college campuses in the opening days of school.

It's sickening. Something needs to be done.

Great job, "homeland security", my ass.

NEW YORK -- A computer hacker may have accessed more than 40 million credit card accounts in what could be the largest in a series of recent security breaches involving consumer data, officials said.

MasterCard International Inc. announced Friday that the breach was traced to Atlanta-based CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants. All brands of credit cards could be affected.

<snip>
MasterCard said 14 million of its customers may have been exposed to fraud. A spokeswoman for American Express said a small number of its cardholders were affected, but would not give an exact number. Discover Financial Services Inc. wouldn't say whether its customers were affected. Visa USA and a large issuer of cards, MBNA Corp., did not return calls for comment Friday.


http://www.webpronews.com/business/topbusiness/wpn-54-20050618MasterCardOpenBookForIDTheft.html

One person can rob 40 million - so much for credit card security.

40M Credit Card Accounts Could Be Affected

By JOE BEL BRUNO, AP Business Writer

NEW YORK - A computer hacker may have accessed more than 40 million credit card accounts in what could be the largest in a series of recent security breaches involving consumer data, officials said.

MasterCard International Inc. announced Friday that the breach was traced to Atlanta-based CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants. All brands of credit cards could be affected.

snip

MasterCard announced the breach in a news release Friday, saying it was notifying its card-issuing banks of the problem.

CardSystems then released its own statement, saying it first learned of a potential breach on May 22. The company said it was told by the FBI not to release any information to the public; its statement Friday had been vetted by the agency.

"We were absolutely blindsided" by MasterCard's announcement, CardSystems' chief financial officer, Michael A. Brady, told The Associated Press.

snip

http://news.yahoo.com/s/ap/credit_cards_breach;_ylt=Ai1GbU0bSr.nJw_lRkb1Y_wDW7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl

it looks like the breach actually occured with a third party processor in Tucson, and MasterCard discovered the breach. Only 14 million of the 40 million cards belong to MasterCard - so dont think you're safe if you have something else.

we need a national credit revolt.

because how many people are going to get nailed on any fraud related damage to their credit card, like in identity theft that has to be resolved, resulting in a negative credit rating?

For all the money the CC companies have been sucking out of us, those greedy bastards, we need to show them WHO has the power....

Up to 40m credit cards 'hacked' (BBC)

http://news.bbc.co.uk/2/hi/americas/4107236.stm

All brands of cards could be affected
A computer hacker may have broken into more than 40 million credit card accounts, US company officials say.
MasterCard International said the breach was traced to a company in Atlanta which processes transactions for banks and merchants.

All brands of credit cards could be affected, it warned.

The company, CardSystems Solutions, said it identified the breach last month and immediately contacted the FBI, which was investigating.

MasterCard announced the breach in a news release on Friday, saying security "vulnerabilities" had allowed an unauthorised individual to infiltrate the network of CardSystems and access the cardholder data.

It said 14 million of its customers may have been exposed to fraud. Another 22 million were Visa cards, said a spokeswoman for the Visa company.

MasterCard spokeswoman Sharon Gamsin told the Associated Press news agency the data - names, banks and account numbers - could be used to steal funds, but not identities. The company was notifying banks that issue MasterCards.


The

firm in Atlanta that was hacked, and the post this was combined with from MarketWatch has Tucson, Az.
Just find that a bit strange.

edited for need of editing

any lawyers listening???

http://www.nytimes.com/2005/06/20/technology/20credit.html

The chief of the credit-card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining consumer records lost to the thieves.

The official, John M. Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit-card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had gone unauthorized or uncompleted.

<snip>

The security breach was first reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards.

<snip>

MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa in mid-May, had requested that CardSystems allow its independent forensics team to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said.

...more...

June 20, 2005: 1 Hour Ago from Google News, 11:13 AM EST.



Update 2:
Credit Card Company Admits Fault in Hacking Incident All Headline News
http://news.google.com/nwshp?hl=en&gl=us&oi=newst

Update 3:
CardSystems: Shouldn't Have Kept Records Forbes
http://www.forbes.com/home/feeds/ap/2005/06/20/ap2100336.html

I'm not saying I have no sympathy for cardholders who are in a precarious postion, quite the contrary.

If people see that their information will be continously breached, for whatever reason, they might stop using cards all the time. That would really send the CC companies reeling.

they were just downloaded, what's the big deal?

card holders names and account numbers being taken, you aren't thinking.

having a look see and they won't really *do* anything with that information?

I've got an ocean in Kansas to sell you, too.

that's not stealing, so how can this be stealing? possession of the info isn't illegal, doing something with it is the crime.

don't usually just sit on it.

I don't have a problem with people who test security systems, looking for weaknesses and then reporting it to the company so they can fix it.

But if I'm a customer, I don't want my information in the hands of someone who doesn't need it. I don't care what they think is legal, or their "right" to see. I don't want them seeing it. Period. They don't need to know how much I spent at Target last month or that I bought BC pills. And MC should know better by now.

or the potential that someone stole from you. That was the point.

what was yours? :shrug:

defending the downloading of software, music, movies and other information without paying for it as there are on this thread complaining about this theft. either both are theft, or neither is, that was my point.

And there are people, and I'm not saying you're one of them, who are gung ho about stealing from others, who complain vociferously when it is their pocket that is picked. but I guess I was being too subtle?

you were using my basic point about right to a certain degree of privacy of information to rag on music downloaders? How kind of you. :sarcasm:

A couple of things about d/l'ing art:

1) It is meant for public consumption. You create something and put it on a disk or film. You want people to see it, hear it, discuss it. Art isn't worth anything except sentimental value to the the artist if it's kept in a closet. The very value of art depends on its value to the public. There are probably a lot of no-name 17th and 18th Century composers who might have written some great music, but their names have no currency past their lifetimes so their work is lost to us.

Private information for private individuals is not the same thing as public work, art, created expressly for public consumption. Private individuals don't ask, or hire PR people, to spread their private financial info over the globe. But record companies and movie stuios do hire these people to spread their work around. The people who stole the MC info are exposing customers to risk who didn't ask for that information to be released. And artist must release his work to the public.

2a) The fans who trade music online have a point for which the RIAA has yet to provide a satisfactory answer: How often do they have to keep buying the same music over and over, just keep up with the format du jour? It seems to me that if you buy an album (the concept work), you ought to be able to play that album on whatever apparatus is handy. You already paid the artist and the record company the first time you bought it. You shouldn't have to replace your collection every ten years because the format is obsolete.

2b) Anyway, the problem has arisen because the fans have gotten ahead of the distribution system of the companies that produce the work. The fans have expressly said, since Napster, that they prefer to d/l their art and share it with others.

Do I think artists need to be fairly compensated for their work? Of course. The companies need to come up with a viable model for working with the current system, even though they didn't create, nor do they control it. Going after 14-year olds in their moms' basements and university students, the audience, is wrong-headed. What's the point of alientating your potential audience and customers? If you think music and movie sales such now, just wait. Oh yea, and while you are at it, figure out a way for the Chinese to reign in their bootleg market. Yea, good luck with that.

2c) As a result of file-sharing, musical tastes are much more broad. People are exposed to music that in another time, they wouldn't have heard. And they are liking it. As a result of the net, music lovers can find things they like and that are much more compelling to them than the simple dreck that the studios are offering. The number of variations of "Hit Me, Baby" that Brittany sing and get away with it are dwindling to nil.

You know what? I don't know what the answer is. I don't know what a new artist compensation model taking into account P2P activity would look like. But I do know that somebody will invent it. And that somebody will make a killing.

For now, put the blame where it belongs, on movie studios and record companies who can't continously evolve in their use of technology, just like the rest of us have to.

therefore it's accceptable to steal. Good to know. So once an artist 'releases' work to the public, it enters the public domain? the format and structure (plus the code) of DU is the IP of the Admins (and or whoever they license it from) it is worthless without an audience, therefore you would support me creating www.demoraticunderground.com, 'sharing' the design and coding for public consumption? good to know.

By the way, RIAA has never gone after someone for downloading. It goes after people for uploading information that they do not have permission to share. That's not passive sampling, that's breaking well established IP law. It is no different from photocopying a book to give to someone, and I think we can all agree that isn't right, yes?

I sympathise with the format de jour problem, but really, since most music avaliable online came from CDs, that logic doesn't count. You can buy digital music, and in most cases, put it on your harddrive without a problem, no one, not even the industry complains about that. And if that's what people were doing, there'd be no problem. But that's not it, right?

last point, and it's repetative: you may not think the industry is 'keeping up with technology' but then the data companies aren't keeping up with hacker technology either, are they? Why should they do it, if they don't want to? the music actually belongs to them, they published it, if they don't want to give it away online, they don't have to.
but this is obviously off topic, and I must have hit a sorespot 9guilt complex, rationalisation? who knows) so we should let it die.

I DID say artists should be compensated fairly for their work.

What I did say, in essence, is that P2P technology is hear to stay, and that studios would serve themselves, artists, and their customers well to find a way to work with it, not against it. P2P is a great technology, we just have to find a way to work with it. What that is, I don't know. If you try to sue it to death, it will just splinter and go further underground. But it will always be there.

This is a weak argument for the same reason it was last time:
...you may not think the industry is 'keeping up with technology' but then the data companies aren't keeping up with hacker technology either, are they? Why should they do it, if they don't want to? the music actually belongs to them, they published it, if they don't want to give it away online, they don't have to.

Why? While you're right that data companies aren't keeping up either, they are losing the rights to their most valuable resources. A data company's assests lie in its ability to keep confidentiality. A music company's resources lie in their ability to keep and attract popular (read: public) talent. I would think any business would want to keep up with their most precious assets.

I think you agree with me, funny enough. Why? While you're right that data companies aren't keeping up either, they are losing the rights to their most valuable resources. A data company's assests lie in its ability to keep confidentiality. A music company's resources lie in their ability to keep and attract popular (read: public) talent. I would think any business would want to keep up with their most precious assets. if a company doesn't meet your expectations, shop elsewhere, get other people to shop elsewhere, or simply do without.

you would think that a company would, but you can't make it, except by refuseing to patronize it.

You could use your MasterCard... just wire it over to Paypal.com.

:)

Brain Process: A lost art.

it's a problem, but when it's just a rich person, you're ok with it?

You mis-understood my post.

of the Glass Steagall Act that would have prevented these abuses. Now every affiliate both foreign and domestic has access to YOUR personal financial (and now even medical) info worldwide.

DOJ and FTC jurisdiction are only US; in meantime, companies are paying hush money to extortionists overseas, resulting in higher rates for US customers. Sen Feinstein is well aware of this fiasco but the R's in Congress are behind non-disclosure to the US public as to how bad the situation really is"

"...Alan Paller, director of research at the Bethesda, Md.-based SANS Institute, said the California law is probably necessary because of the kinds of crime that are occurring. A group in Russia and Ukraine has been acquiring customer data, extorting money to prevent its release and then selling it anyway. Paller believes some companies are paying off the extortionists in an attempt to contain the damage."

California leads way on ID theft legislation
http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,76721,00.html

Has anyone else noticed that most store credit cards are now held by citibank? How comforting that their biggest shareholder is a Saudi Prince.

Things look like they've been offshored for a reason (total information awareness never died, they just offshored it !

These bushevik SOB's are all robbing this country blind.

http://www.dallasnews.com/sharedcontent/dws/bus/stories/062005dnbuscredit.2a1f4ab9.html

The head of the credit card processing company whose computer system was breached by hackers, exposing millions of credit card accounts, has acknowledged that his firm should not have been keeping the consumer records in the first place.

The official, John Perry, chief executive of Atlanta-based CardSystems Solutions Inc., said that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard, and other companies.

He said the data was being stored for “research purposes” to determine why some transactions had registered as unauthorized or uncompleted. “We should not have been doing that,” Perry said in Monday's editions of The New York Times. Under rules established by Visa and MasterCard, processors cannot retain cardholder information after handling transactions.

“CardSystems provides services and is supposed to pass that information on to the banks and not keep it,” Joshua Peirez, a MasterCard official, told the Times. “They were keeping it.”