40M credit cards hacked NEW YORK (CNN/Money) - A security breach has occurred at a third-party processor of payment card transactions that affects over 40 million card accounts, Mastercard International said Friday. Of the cards involved, 13.9 million were MasterCard-branded cards, which include Maestro and Cirrus, and 22 million were Visa cards, said Visa spokeswoman Rhonda Bentz. The breach took place at the Tucson office of CardSystems Solutions, which processes transactions on behalf of financial institutions and merchants. CardSystems said in a statement that it identified the breach on May 22 and contacted the FBI the next day. Mastercard learned the final details of the breach this week, according to spokeswoman Jessica Antle. "It looks like a hacker gained access to CardSystems' database and installed a script that acts like a virus, searching out certain types of card transaction data." "We're working with the FBI. It's a criminal investigation," Visa's Bentz said, noting that CardSystems "was out of compliance" with Visa's security standards when the breach occurred and that Visa would review whether it would continue to work with CardSystems when the case is resolved. CardSystems said it has taken measures since discovery of the breach to enhance its security procedures. Mastercard said in a statement that it is giving CardSystems "a limited amount of time to demonstrate compliance with Mastercard security requirements." FBI spokesman Rex Tomb couldn't give more details about the case, saying only that "we're looking into it. But there's nothing more we can say at this time. It's a pending case." MasterCard said it is giving member financial institutions the specific card account numbers that may have been compromised. The credit card information exposed in the breach did not include any Social Security numbers, birth dates or other highly sensitive personal data, Mastercard said. Consumers receive protection if unauthorized charges are made on their credit cards. MasterCard and Visa, for instance, have zero-liability policies. Bentz said Visa will be monitoring the accounts closely and should know before cardholders if there has been any fraudulent activity. Thus far, she said, "We haven't seen anything outside of the norm." If ever you notice unauthorized charges on your credit card, you should notify your card issuer immediately. The breach reported by Mastercard on Friday is one in a long line of breaches reported this year by consumer data aggregators like ChoicePoint, retailers such as DSW and corporations such as Time Warner, parent company of CNN/Money.com. Rather than a rash of illicit activity, experts say, the slew of reports may have more to do with companies wishing to protect themselves in the wake of a California state law requiring businesses to notify its customers when their personal information has been exposed in a security breach. Illinois this week became the second state to pass such a law. Concerned about your ID being stolen? Click here. To learn more about the companies that profit off your personal information, click here. Top of page ------------- "You owe me money!" -- Bert.