Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

63% of Merchant Networks Contain Unencrypted Card Data, Says SecurityMetrics

According to recent scans of than 475 merchant networks, nearly two-thirds of merchant computer systems store unencrypted payment card data. These results come from SecurityMetrics, a provider of PCI Data Security Standard security solutions, and show that these merchants are in violation of the Payment Card Industry Data Security Standard (PCI DSS), leaving them liable to fines and other penalties.

According to recent scans of than 475 merchant networks, nearly two-thirds of merchant computer systems store unencrypted payment card data. These results come from SecurityMetrics, a provider of PCI Data Security Standard security solutions, and show that these merchants are in violation of the Payment Card Industry Data Security Standard (PCI DSS), leaving them liable to fines and other penalties.

The presence of readable (and prohibited) card information in 63% of merchant systems was uncovered in beta testing of SecurityMetrics’ just-released PANscan product, a free software tool that searches for unencrypted Track 1, Track 2 and Primary Account Number (PAN) data on merchant machines to support PCI DSS compliance efforts.

The test findings indicate a large number of merchants use payment application software that doesn’t conform to the Payment Application Data Security Standard (PA-DSS), fail to configure their payment applications properly, neglect to erase old data when new payment applications are purchased, and/or fail to train their employees in proper handling and storage of card data.

“Improper storage of payment card information puts cardholder data at risk. Our testing suggests that the problem remains surprisingly widespread even with increasing industry emphasis on the need for compliance with PCI DSS regulations,” said SecurityMetrics CEO Brad Caldwell.

Based on proprietary SecurityMetrics forensics technology, the PANscan software is designed for use by any merchant regardless of technical expertise.

PANscan allows offers the following functionality: Searches for unencrypted cardholder data on local hard drives, optical drives, network servers and external storage devices, including archive files such as .zip and .gz files where backup information is often stored.

• Triple-checks results to ensure accuracy, virtually eliminating the false positives common with other scanning products and the associated time required to research and resolve these errors.

• Runs 10 times faster than a normal disk scan, while also minimizing resource use to avoid interference with everyday business operations.

• Reports summary results immediately in a popup window when the scan is completed, indicating whether or not the system contains prohibited card data.

• Allows scans to be performed as frequently as desired on any number of merchant machines.

Merchants can download PANscan free of charge here.

Written By

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Compliance

The Federal Communications Commission (FCC) is proposing tighter rules on the reporting of data breaches by wireless carriers.The updated rules, the FCC says, will...