Comment by hedora

Smart cards were also breached before the US switched to them.

I'd object to paying for PCI DSS if I were them, to be honest. The idea that every merchant (or credit card reader) even has access to credentials is ludicrous.

The currentc was of email lists, not the payment flow. It's embarrassing, but still a better track record than the existing payment processors (which probably suffered 10,000s of payment flow breaches as I typed this.)