According to CardSystems CEO as reported by Forbes, CardSystems were keeping the recently-stolen credit card information for "research purposes."
Does anybody else see anything wrong with this picture? More wrong beyond the exposed financial data, that is. Think about it - hypothetically speaking, if you were a payment processor, why would you want to keep account data if you're doing research? After all, your job as a processor is to watch all those transactions coming by and route them.
Here's the scary part: the only research activity that I can think of that is really facilitated by keeping the account data is tracking purchasing activity by cardholder. Seriously, think about it. As a processor, their job is to route the transaction; by the time a payment is at a processor, it consists only of: the merchant ID, a transaction amount, a customer account #, and some various approval/transaction codes from the various players along the way. What other possible research could they be doing?
It makes good business sense (what a great service for their merchants), it's easy for them to do (all they need to do is keep the account number) and it's scary as hell.
Posted by Ed at June 21, 2005 09:31 AM