I can't help but wonder whether the payment card industry will adjust their security standards in the face of this kind of threat. Currently, the security standards
stipulate that a credit card number has been sufficiently protected/destroyed if only the last four digits of the account number are kept. In the face of this kind of attack, would that be enough? All of a sudden, what information is left is being used to obtain whatever was missing.
I can see security requirements being adjusted in a couple of ways: First, require complete obliteration of the credit card account number when it is no longer needed. Don't even keep the last four digits. Second, require that various pieces of information be kept in separate logical or physical databases. If card numbers are stored separate from addresses and other personal information, it's one more barrier for an attacker to overcome.