CardSystems Solutions — a US payment-card processor — has disclosed that approximately 40 million payment-card records were potentially exposed through a 2004-vintage compromise of their systems. The compromise was discovered through pattern analysis at MasterCard; the breach was disclosed earlier this month; the structural implications are larger than the specific incident.
This is a longer post because the trajectory from ChoicePoint to here is now clearly visible.
What happened
CardSystems processed payment-card transactions for a substantial number of merchants. Their systems handled card data during transaction processing; the data should have been deleted after processing.
The actual practice: card data was retained on CardSystems' systems for "research" purposes. The retention violated payment-card industry rules; the retained data formed a substantial concentration of card numbers, expiry dates, and associated information.
In 2004, an unknown party compromised CardSystems' systems and exfiltrated a portion of the retained data. Approximately 200,000 specific cards have evidence of fraudulent activity tied to the compromise; approximately 40 million records were potentially exposed.
The compromise was detected when MasterCard's fraud-pattern analysis identified an unusual cluster of fraudulent transactions tied to cards processed through CardSystems. The investigation worked backward from fraud to source; CardSystems was identified; the disclosure followed.
What this means structurally
Three observations.
The volume is unprecedented. ChoicePoint was 145,000 records. CardSystems is 40 million. The order-of-magnitude jump is real. Future incidents are likely to be larger still as more processors are examined and as the data-aggregation patterns become more visible.
The disclosure is being driven by fraud detection, not by the breached operator. CardSystems did not voluntarily disclose. MasterCard's pattern analysis identified the source; the disclosure followed under regulatory pressure. The pattern is informative — many breaches are presumably going undisclosed because the fraud volume is below detection thresholds or the source-tracing infrastructure is not in place.
The retention practice is the structural failure. CardSystems retained data they should not have retained. The retention violated industry rules; the violation went undetected by audit; the cumulative exposure was structural rather than incidental.
The PCI trajectory
The payment-card industry response to incidents like this has been the Payment Card Industry Data Security Standard — a structural compliance regime that defines what processors and merchants must do to handle card data securely.
The PCI DSS framework predates CardSystems (the standards have been forming since 2001-2002 as joint work among Visa, MasterCard, American Express, and Discover); CardSystems will likely accelerate enforcement.
Specific properties of the framework:
Mandatory technical controls. Encryption of stored card data, restricted network access, regular vulnerability assessment, formal access management.
Mandatory audit. Larger merchants and processors must demonstrate compliance through annual third-party audits.
Mandatory disclosure. Breaches must be reported to the relevant card networks; the reporting drives subsequent investigation.
Substantial financial penalties for non-compliance. Fines for non-compliant operators are non-trivial; recurring violations escalate.
The framework is structurally similar to other industry-driven compliance regimes (HIPAA in healthcare, SOX in finance reporting). The cumulative effect is to align the operator incentives with security investment.
What this teaches operators
For operators handling payment-card data:
The retention discipline is now structurally important. Data not retained cannot be exposed. The PCI requirement to delete card data after authorisation is the structural defence; specific operators who continue to retain are accumulating risk.
Audit-readiness matters. Periodic compliance audits identify gaps before incidents do. The investment in audit infrastructure is bounded; the avoided cost when incidents occur is substantial.
Pattern-detection by external parties is now standard. Card networks watch for fraud patterns. Specific operators with concentrated breach exposure will be identified through external pattern analysis. The implicit message: even if your own monitoring is weak, your breach will be discovered eventually.
Disclosure-readiness applies here too. When the incident is discovered, the response infrastructure determines the cost. Investment in disclosure response before incidents is structurally rational.
For operators handling other categories of sensitive data:
The pattern from card data will generalise. Other data categories — medical records, identity records, financial-account information — will see similar industry-driven compliance regimes emerge over the next several years.
Specific data-retention discipline becomes generally applicable. Data that is not retained cannot be exposed; the structural defence is universal.
What I am paying attention to
Three things over the next 12 months:
Specific PCI enforcement actions against larger processors. 75% probability of significant action. CardSystems will not be the only operator with retention or security gaps; further enforcement is likely.
Expansion of breach disclosure across more US states and into UK regulatory framework. 80% probability. The political and regulatory momentum is real.
Specific aggregation-of-data attacks against other data-broker categories. 70% probability. The CardSystems pattern will generalise; specific incidents in adjacent categories will emerge.
For UK organisations: PCI compliance applies to UK operators handling card data. The cumulative regulatory pressure is real; the operational discipline is the same.
What I am doing
For my own infrastructure: no card data handled. Not in scope for PCI directly; the structural discipline (do not retain what does not need to be retained) applies generally.
For client work where I have advisory roles: explicit attention to data-retention practices as part of standard security review. Specific clients have surfaced retention issues that needed addressing; the conversation is now standard.
A small reflection
The data-breach trajectory is structurally significant. The cumulative disclosed-breach volume across 2005 will substantially exceed all prior years combined. The cumulative regulatory and operational shifts will continue for years.
For anyone in the field: the cumulative effect of disclosure-driven incidents is reshaping security investment. The investment that was previously hard to justify on technical grounds becomes operationally necessary as the disclosure consequences become structurally significant.
For my own writing: more on this trajectory as it develops. The cumulative archive will track the regulatory and operational shifts.
More in time.