Unauthorized activity at CardSystems Solutions Inc. that led to the exposure of 40 million payment cards started as early as April 2004, according to a security assessment performed by a bank that makes payments to merchants using CardSystems' services.

In prepared testimony given at a hearing Thursday before the House Committee on Financial Services, David Watson, chairman of Merrick Bank, said that a forensic IT audit firm it hired after learning of a security breach at CardSystems in May reported that CardSystems servers showed evidence of unauthorized activity as early as April 2004. The audit firm also reported that CardSystems was retaining transaction data in violation of Visa USA Inc. rules.

Visa and American Express Co. earlier this week said that CardSystems would no longer be allowed to process transactions for their branded cards after October. Visa said it took the step because CardSystems was retaining transaction data in "unmasked" form, allegedly for research purposes, in violation of Visa's rules.

In prepared testimony at Thursday's hearing, CardSystems president and CEO John Perry said that in September, an unauthorized party placed a script, or sequence of instructions, on the CardSystems platform through an Internet-facing application used by customers to access data. The script caused records to be extracted, zipped into a file, and exported to an FTP site. "It was a sophisticated script that targeted a particular file type and was scheduled to run every four days," Perry said.

The script searched for records on individual cardholders, including name, account number, expiration date, and CVV code (a three-digit number encoded on a card's magnetic strip). On May 22, the script succeeded in exporting 263,000 records from CardSystems' system.

The records consisted of transactions that hadn't been completed. CardSystems was storing the transactions for research purposes to determine why they weren't completed, Perry said. The data was stored in readable form, in violation of Visa and MasterCard security requirements, he said. The data didn't include cardholder Social Security numbers, and thus couldn't be used for identity theft, Perry said.

It could, however, have been used to create counterfeit cards. Retention of this information "makes the database a much more attractive target for criminals," said Steve Ruwe, Visa's executive VP of operations and risk management, at Thursday's hearing. A total of 22 million Visa cards and 13 million MasterCard cards were put at risk by the security breach.