UNDATED - The criminal exploit that exposed 40 million credit card accounts to possible fraud is shedding light on an arcane but sensitive piece of the financial industry: the hundreds of companies that process transactions between merchants and card issuers.

While enormous in scope, the breach disclosed Friday at CardSystems Solutions Inc. was by no means the first such attack on a card processor.

Many analysts believe that banks and credit card companies, despite working hard to tighten their own security, have failed to force payment processors to maintain similar standards.

"They're not being watched carefully enough," said Avivah Litan, an analyst with Gartner Inc.

In recent years, card associations such as Visa and MasterCard have set up security requirements for processors to follow. No laws in particular govern this program, but the card associations can impose fines of several hundred thousand dollars for transgressions.

However, Litan said proactive audits of companies like CardSystems don't really happen.

[More]

Maybe we soon discover a '40millioncreditcardnumbers.zip.torrent' file on seveal sites.

things like these strengthens my faith in the saying
"The more you evolve, the more you are near to devastation" :s yikes...

IMHO, any system storing credit card information is always dangerous because no system is uncrackable. When a system is broken, all information can be stolen, including credit card numbers. So the best and the most secure method is to delete credit card information immediately after making the order to avoid stealing of the credit card numbers.
I also think that these systems ARE mostly watched enough, but noone can expect that everyone will spend time to find flaws and vulnerabilities of the software and/or scripts they use. Specialized people do that, but not everyone. It's obvious that even skilled hackers can miss some vulnerabilities. That means, even when you update your software and scripts, there are still some unknown vulnerabilities, which will have dangerous results when they are discovered and exploited. Most exploits are published after the vendor releases a fix, but how about 0-day exploits?
On the other hand, credit card algorthms never changed. I might be wrong, but same algorithms are still used. Programs generating credit card numbers use these algorithms. Stupidity of some commercial programs makes this job easier for crackers, because they include algorithms that check the validity of the credit card numbers. It means that thousands of valid numbers can be created in a short time with an average process, and the chance that these generated numbers are the number of an existing card is relatively high.