The head of the credit card processing company whose computer system was breached by hackers, exposing millions of credit card accounts, has acknowledged that his firm should not have been keeping the consumer records in the first place.

The official, John Perry, chief executive of Atlanta-based CardSystems Solutions Inc. (search) , said that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard, and other companies.

He said the data was being stored for "research purposes" to determine why some transactions had registered as unauthorized or uncompleted. "We should not have been doing that," Perry said in Monday's editions of The New York Times.

Under rules established by Visa and MasterCard, processors cannot retain cardholder information after handling transactions.

"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," Joshua Peirez, a MasterCard official, told the Times. "They were keeping it."

The security breach was first reported Friday when MasterCard International Inc. said computer hackers may have accessed more than 40 million credit card accounts. About 13.9 million were from MasterCard accounts. It was not immediately clear how many of the other accounts were considered at high risk.

The incident appears to be the largest yet involving financial data in a series of security breaches affecting valuable consumer data at major financial institutions and data brokers.

Under federal law, credit card holders are liable for no more than $50 of unauthorized charges. Some card issuers, including MasterCard, offer zero liability to customers on unauthorized use of the card.

CardSystems processes less than 0.5 percent of American Express' (AXP) domestic transactions, said company spokeswoman Judy Tenzer. She said a small number of its cardholders were affected, though she did not have an exact figure.

Discover Financial Services Inc (search). said it was aware of the situation and would not say whether any of its cards were involved.

A spokeswoman for American Express said a small number of its cardholders were affected, but would not give an exact number. Visa USA and a large issuer of cards, MBNA Corp., did not return calls for comment.