CardSystems Fallout Continues

According to CardSystems CEO as reported by Forbes, CardSystems were keeping the recently-stolen credit card information for “research purposes.”

Does anybody else see anything wrong with this picture? More wrong beyond the exposed financial data, that is. Think about it – hypothetically speaking, if you were a payment processor, why would you want to keep account data if you’re doing research? After all, your job as a processor is to watch all those transactions coming by and route them.

Here’s the scary part: the only research activity that I can think of that is really facilitated by keeping the account data is tracking purchasing activity by cardholder. Seriously, think about it. As a processor, their job is to route the transaction; by the time a payment is at a processor, it consists only of: the merchant ID, a transaction amount, a customer account #, and some various approval/transaction codes from the various players along the way. What other possible research could they be doing?

It makes good business sense (what a great service for their merchants), it’s easy for them to do (all they need to do is keep the account number) and it’s scary as hell.