1) Most places do 2 factor authentication. You would need the token and the password for the token, so just stealing the token is not very useful. And you still need a separate password for the actual DB.
2)Track I is name stuff and PAN...Many POS devices only send track II. And internet trans would have neither track I or II. So not every tran would have Track I and II. But a debit/credit issuer would have both tracks in his DB, as he needs to issue cards with this info. Probably unlikely some external employee of a financial institution gathering this info from an external transaction history interface, as you would just get the track that was read by the POS device. Points again to internal.
3) You would need to punch through internal firewalls, or have a specific IP and WINS address that allows you through to the data. Not everyone at Global Payments inc. can get at the data. Once again, you need an inside guy.
4) If this data was encrypted (unlikely other than disk encryption for data at rest protection), you would need to be internal.
5) if it is a stolen disk or tape, you need inside info to get it and know what is on it.
6) Intrusion detection systems probably would have caught any external hacks. So either those alerts were ignored or bypassed. Once again, internal.
That said, I'll probably be proved wrong.