According to a report from SecurityMetrics, a data security and compliance firm, 70 percent of merchants that accept credit and debit cards are storing unencrypted payment card data. The study finds that the majority of businesses are leaving low-hanging-fruit for criminals, by storing payment data on easily compromised systems in the clear, making data theft much easier.
The tool was used to scan 2,754 systems, and discovered 315,639,164 payment card records unsecured. One scan alone found data on over 91 million cards.
Similar to the study performed in 2011, this year’s data shows that the overwhelming majority (73.41%) of payment card data identified by PANscan came from scans resulting in less than 1,000 discovered payment cards.
On the methodology side, the study was conducted using first-time payment card data discovery scans, something that most likely inflated the statistics on the percentage of overall merchants actually storing unencrypted payment card data.
It goes without saying, but organizations that store unencrypted payment card data directly violate PCI-DSS requirements, and they’re more likely to be exploited and suffer severe financial repercussions because of any type of related breach. Often, organizations don’t even realize they’re storing PAN data, until it’s too late.
“Hackers proactively search for unencrypted card data because it takes less effort to steal,” said Director of Security Assessment, Gary Glover. “Whether a business stores unencrypted card data because of an improperly configured payment application, or because employees handle data improperly, storing card data without encryption is against industry regulation.”
When it comes to the industries that are the largest violators; the financial, hospitality, and retail industries accounted for 55% of the total unencrypted payment card data storage among businesses tested.
The study also exposed the fact that more than 10-percent of merchants store magnetic stripe track data, essential for the illegal reproduction of credit and debit cards.
The full report is available online.
Related Reding: If PCI Is Your Whole Security Program, You’re Not Doing Your Job Right