The head of the credit card processing company whose computer system was breached by hackers, exposing millions of credit card accounts, has acknowledged that his firm should not have been keeping the consumer records in the first place.
The official, John Perry, chief executive of Atlanta-based CardSystems Solutions Inc., said that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard, and other companies.
He said the data was being stored for “research purposes” to determine why some transactions had registered as unauthorized or uncompleted. “We should not have been doing that,” Perry said in Monday’s editions of The New York Times.
Under rules established by Visa and MasterCard, processors cannot retain cardholder information after handling transactions.
“CardSystems provides services and is supposed to pass that information on to the banks and not keep it,” Joshua Peirez, a MasterCard official, told the Times. “They were keeping it.”
The security breach was first reported Friday when MasterCard International Inc. said computer hackers may have accessed more than 40 million credit card accounts. About 13.9 million were from MasterCard accounts.