Digital Transactions Authoritative, insightful and timely information for payments professionals
n
A core principle of data protection, and the Payment Card Industry data-security standard (PCI), is that merchants should never store unencrypted card information anywhere in their computer systems. But a recent study of data generated by a system-scanning tool shows that many merchants are violating this rule, knowingly or unknowingly.
n
Of 2,736 scans worldwide since Jan. 1 using SecurityMetrics Inc.’s PANscan tool, 71% revealed merchant computer systems were storing unencrypted payment card data, an 8% increase from a similar survey in 2010, according to the Salt Lake City, Utah-based provider of PCI security solutions. The participating merchants ranged in size from small, so-called Level 4 merchants to the largest Level 1 merchants.
n
PANscan is a software tool that searches for unencrypted Track 1, Track 2 and primary account number (PAN) data on merchant systems to support PCI compliance efforts.
n
The study found data on more than 379 million unencrypted cards on various-sized business and home networks, with the largest number of payment cards discovered in a single network scan at over 96 million. SecurityMetrics doesn’t know the size or PCI compliance status of merchants storing unencrypted data since any merchant can download the PANscan tool for $25 annually. SecurityMetrics doesn’t ask the merchants to submit detailed information, such as PCI status.
n
“We know there are some high-end customers that have that kind of data all the way down to the very small merchants,” says Bill Davis, SecurityMetrics product manager.
n
Many merchants storing unencrypted card data are familiar with the PCI standards but aren’t aware their systems are storing the information, says Jon Clark, product marketing manager at SecurityMetrics. Merchants often don’t realize that cardholder data may be stored in point-of-sale software, back-end application servers, Web servers, attached storage devices, customer-service workstations and other areas.
n
Merchants frequently use payment-processing software that doesn’t conform to the Payment Application data-security standard (PA-DSS), which falls under the umbrella of PCI, or merchants fail to configure their payment applications properly, Davis says. SecurityMetrics’ forensic investigators found “that even new payment applications are just not configured correctly and they’re capturing that data in some log in the computer system,” he says.
n
In addition, back-office employees often aren’t trained in the proper handling and storage of card data, Davis says. For example, “somebody in accounting thinks they’re being meticulous by keeping all the information.”
n
To ensure they aren’t storing unencrypted card data, merchants need to regularly review the methods and operations of their businesses by using some type of system-scanning tool, according to Clark. “Systems change all the time. Merchants are constantly updating their payment applications or buying new software,” he says. “If they make card data discovery a regular part of their business operation, whether it’s monthly or quarterly, they should be able to stay on top of it.”
n
nn
