The NYT has more about the latest credit card data theft scandal. I’m sure that the folks at CardSystems Solutions thought that what they were doing was logical and fine. After all, they just wanted to “determine why certain transactions had registered as unauthorized or uncompleted,” which seems perfectly reasonable. But if you’re keeping data, it is at risk. This is why the official policy was to absolutely minimize the amount of data retained after transactions were completed. Most people tend to think that storing everything is better, but this isn’t the case. Minimize. You don’t have to protect what you don’t have.