According to the New York Times, the company at the centre of the latest privacy scandal, Cardsystems, wasn't supposed to be keeping the information that was compromised. And, to compound issues, the information was not encrypted.
I've mentioned in a previous post that the card issuers may be unfairly tarred in this whole incident. The media are starting to place the blame on the third party processors, though the headlines scream out "MASTERCARD!". The electronic payments system relies upon third party processors, otherwise you would have seven terminals at each point of sale, which would be unworkable.
The NYTimes article refers to an audit, which the company passed. Perhaps the auditors need to be asked some questions.
See the NYTimes article: Lost Credit Data Improperly Kept, Company Admits - New York Times.