In 2024, Ticketmaster lost 560 million customer records via a third-party cloud breach. Snowflake's customer base lost data through a missing-MFA campaign that affected up to 165 organisations. PCI DSS non-compliance is universal among breached organisations. PULSE engineers payment infrastructure in which the cardholder data does not exist in the merchant's perimeter to be breached.
The Payment Card Industry Data Security Standard (PCI DSS) is the dominant compliance regime for payment-card data globally. It is not a law; it is a contractual obligation imposed by card networks (Visa, Mastercard, American Express, Discover, JCB) on acquiring banks, which pass the obligation to merchants and processors. PCI DSS Version 4.0.1 came into mandatory effect in March 2024.
The Verizon Payment Security Report's most-cited finding is that, in over a decade of forensic investigation following confirmed payment-card breaches, no breached organisation has been found fully PCI DSS compliant at the moment of breach. The corollary finding is that the specific control failures identified post-breach are precisely the controls PCI DSS Section requirements address: Section 3 (data storage), Section 4 (transmission encryption), Section 6 (secure development), Section 8 (access control), Section 11 (vulnerability scanning). The standard exists. The control implementation is the gap. [01]
The 2024 Ticketmaster breach is the canonical illustration of how the architecture itself is the problem. The breach occurred via Snowflake, a third-party cloud-data provider, and exposed approximately 560 million customer records including payment card data. The PCI DSS scope of the affected merchant was reduced — but the breach impact was not, because the data still existed in a form recoverable by an adversary with sufficient access. [02]
The mechanism inventory has remained stable since 2017: the targets, the entry vectors, and the exfiltration paths are well-known to defenders. The rate of successful breach has not declined.
Magecart-style attacks inject malicious JavaScript into checkout pages — directly or via a compromised third-party tag — to skim card data as the customer enters it. Warner Music Group lost 30+ million records over a three-month skimming campaign in 2020. Detection time averaged 100+ days in disclosed cases.
The 2024 Snowflake-customer breach campaign affected up to 165 customers including Ticketmaster (560M records) and Santander Bank. The attackers exploited a lack of multi-factor authentication on Snowflake customer accounts to access bulk customer data warehoused in the Snowflake platform.
Memory-scraping malware on PoS terminals captured 40 million card numbers in the 2013 Target breach, 94+ million in the TJX 2007 breach. The PoS attack surface persists in 2024 across small merchants, transport ticketing, and ATM networks.
BEC attacks targeting fintech firms' wire-transfer authorisation chains produce direct financial loss without breaching the customer-data substrate. In the 2024 Coalition Cyber Claims Report, 56% of all claims were BEC or FTF.
PCI DSS non-compliance penalties begin at the merchant-processor compromise fine: USD 5,000 to USD 500,000 per incident, charged to the acquiring bank and passed to the merchant. They scale through forensic investigation costs (USD 12,000–100,000), onsite Q&A assessments (USD 20,000–100,000), free credit monitoring (USD 10–30 per affected card), card re-issuance (USD 3–10 per card), and federal/municipal fines that vary by jurisdiction.
The most consequential penalty is non-monetary: the acquiring bank can revoke the merchant's card-processing relationship. For a merchant whose business is payment processing, this is terminal. Heartland Payment Systems was prohibited from processing payments for 14 months after its 2008 breach.
For fintech specifically, regulatory consequences extend beyond PCI DSS. In the EU, PSD2 imposes Strong Customer Authentication requirements; the upcoming PSD3/PSR will tighten incident-reporting obligations. In Australia, the Customer Data Right (Open Banking) imposes data-handling obligations on accredited data recipients that exceed PCI DSS in scope and prescriptiveness. The UK Financial Conduct Authority's Operational Resilience regime requires firms to identify Important Business Services and demonstrate impact tolerance under disruption — payment processing being the canonical IBS.
Every payment-card breach in the past decade has been a breach of an architecture that still stored payment-card data as payment-card data.
The principal target of payment-sector attack is the cardholder data — the Primary Account Number (PAN), the cardholder name, the expiration date, the service code, and the sensitive authentication data. PCI DSS Section 3 requires that this data be rendered unreadable when stored, using approved cryptographic techniques. The standard's implicit assumption is that "rendered unreadable" is a reversible state — the data exists, in protected form, on the merchant's infrastructure.
PULSE does not propose a stronger version of "rendered unreadable". We propose a different architectural commitment: the cardholder data does not exist in the merchant's infrastructure at all, in any form, recoverable or otherwise. It exists only in the form, location, and access scope necessary for the specific transaction in question. An adversary who breaches the merchant's perimeter does not encounter encrypted PANs they cannot read. They encounter the absence of the PAN entirely.
The compliance scope of a PULSE-substrate payments deployment is materially smaller — by orders of magnitude — than the PCI DSS scope of the equivalent legacy deployment. The breach exposure is materially smaller still. The means is the trade secret. We disclose it under executed NDA only.
Architectural-fit assessment for tier-1 acquirer, payment processor, fintech-platform, and merchant-of-record deployment scenarios. Quantified PCI DSS scope-reduction model under PULSE substrate. Cross-jurisdictional regulatory alignment matrix (PCI DSS 4.0.1 / EU PSD2/PSR / UK PRA Operational Resilience / Australia CDR / Singapore MAS PSN). Reference architecture for tokenised-substrate payment processing.
Available under executed NDA →All statistics on this page are drawn from publicly available reports issued by recognised industry bodies, regulators, and security research organisations. References are listed below for verification.
PULSE Digital Security cites these sources for context only. Citation does not imply endorsement of, or affiliation with, any cited organisation. All trademarks remain the property of their respective owners.