Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Unencrypted Payment Card Data Haunts Major Industries

According to a report from SecurityMetrics, a data security and compliance firm, 70 percent of merchants that accept credit and debit cards are storing unencrypted payment card data. The study finds that the majority of businesses are leaving low-hanging-fruit for criminals, by storing payment data on easily compromised systems in the clear, making data theft much easier.

According to a report from SecurityMetrics, a data security and compliance firm, 70 percent of merchants that accept credit and debit cards are storing unencrypted payment card data. The study finds that the majority of businesses are leaving low-hanging-fruit for criminals, by storing payment data on easily compromised systems in the clear, making data theft much easier.

Payment Card DataSecurityMetrics used their PANscan tool, a card discovery tool that searches for unencrypted track 1, track 2 and PAN (Primary Account Number) data, for their report.

The tool was used to scan 2,754 systems, and discovered 315,639,164 payment card records unsecured. One scan alone found data on over 91 million cards.

Similar to the study performed in 2011, this year’s data shows that the overwhelming majority (73.41%) of payment card data identified by PANscan came from scans resulting in less than 1,000 discovered payment cards.

On the methodology side, the study was conducted using first-time payment card data discovery scans, something that most likely inflated the statistics on the percentage of overall merchants actually storing unencrypted payment card data.

It goes without saying, but organizations that store unencrypted payment card data directly violate PCI-DSS requirements, and they’re more likely to be exploited and suffer severe financial repercussions because of any type of related breach. Often, organizations don’t even realize they’re storing PAN data, until it’s too late.

“Hackers proactively search for unencrypted card data because it takes less effort to steal,” said Director of Security Assessment, Gary Glover. “Whether a business stores unencrypted card data because of an improperly configured payment application, or because employees handle data improperly, storing card data without encryption is against industry regulation.”

When it comes to the industries that are the largest violators; the financial, hospitality, and retail industries accounted for 55% of the total unencrypted payment card data storage among businesses tested.

Unencrypted Card Data

The study also exposed the fact that more than 10-percent of merchants store magnetic stripe track data, essential for the illegal reproduction of credit and debit cards.

Advertisement. Scroll to continue reading.

The full report is available online.

Related Reding: If PCI Is Your Whole Security Program, You’re Not Doing Your Job Right

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...