Sam's Club, a division of Wal-Mart Stores Inc., said in a statement issued this month that it was investigating a security breach that had exposed credit card data belonging to an unspecified number of customers who purchased gas at the company's stations between Sept. 21 and Oct. 2.

Beyond saying that its internal systems and databases weren't compromised, Sam's Club didn't elaborate on how the card information was accessed. Last week, company officials didn't respond to repeated requests for comment.

But Corinne Sherman, vice president of card services at the Pennsylvania Credit Union Association in Harrisburg, said that based on alerts from MasterCard International Inc. and Visa U.S.A. Inc., Sam's Club appears to have been storing customer and account information from both tracks of the magnetic stripe on the back of cards. That information could be used by data thieves to create counterfeit cards that could then be used to commit fraud, Sherman said.

Especially troubling is the fact that a very large number of merchants still appear to be capturing and storing the full magnetic stripe information off of credit and debit cards even though doing so violates the new Payment Card Industry (PCI) security standards, said Ann Davidson, payment systems risk manager at CUNA Mutual Group, a Madison, Wis.-based company that provides insurance and financial services to credit unions.

Of the more than 300 fraud alerts that MasterCard and Visa have each issued this year, the majority involved cases where magnetic stripe information was stored after a transaction, Davidson said.