CardSystems Solutions, a payment card processor based in Tucson, Arizona, was breached via SQL injection between approximately January 2004 and May 2005. The attackers accessed approximately 40 million credit and debit card records. Critically, CardSystems was found to have retained full magnetic stripe track data after transaction authorization — a practice explicitly prohibited by Visa and Mastercard’s rules at the time. CardSystems also failed to implement basic security controls. The breach was disclosed in June 2005 after Mastercard and Visa notified their bank members of a potential compromise source. The consequences were severe: Mastercard terminated CardSystems’ ability to process transactions; Visa placed them on probation and ultimately terminated them. CardSystems was effectively put out of business by the breach — one of the earliest examples of a company being destroyed by a cybersecurity incident. The breach was a significant catalyst for the formalization of PCI-DSS (Payment Card Industry Data Security Standard), which was consolidated and strengthened in 2006 partly in response to this and other payment processor breaches.