One of the key tenets of the 6-year-old Payment Card Industry data security standard (PCI) is that merchants should never store unencrypted card data in their systems. But data generated from a recent beta test of a new system-scanning tool shows many merchants, knowingly or unknowingly, are violating this basic rule.
Almost two-thirds of merchant computer systems testing SecurityMetrics’ new PANScan tool were storing unencrypted payment card data, according to the Salt Lake City, Utah-based provider of PCI security solutions. The merchants participating in the test ranged in size from small Level 4 merchants to the largest Level 1 merchants.
PANscan is a software tool that searches for unencrypted Track 1, Track 2, and Primary Account Number (PAN) data on merchant machines to support PCI DSS compliance efforts.
Of 478 card data scans conducted during the beta test, 303, or 63.4%, uncovered unencrypted card data, SecurityMetrics says. The tests found about 18 million cards in a scan of 67.5 million files. The maximum number of cards uncovered in a single scan totaled 1.9 million.
SecurityMetrics says it’s impossible to identify the PCI status of the merchants storing unencrypted card data since the PANscan tool is available to anyone for free download and use. Merchants weren’t asked whether they were in compliance with PCI.
Many merchants are unaware that their systems are storing the unencrypted data, says Brad Caldwell, chief executive of SecurityMetrics. “One of the biggest things we hear from merchants is ‘I had no idea I had this data. I talked to my developer and he didn’t say he was storing card data,’” Caldwell says.
Temporary browser files also can leave card data on a system without the operator’s knowledge, Caldwell says. He cites a SecurityMetrics employee who found unencrypted card data on his own system when testing PANscan.
“We have somebody here who has been in PCI for a long time and he had over 600 cards on his system,” he says. “It was old data he had back from ten years ago that was still on his computer.”
The results of the beta test indicate that a large number of merchants are using payment-application software that does not conform to the Payment Application data-security standard (PA-DSS), which falls under the umbrella of PCI, or that merchants are failing to configure their payment applications properly, SecurityMetrics says.
The test findings also indicate some merchants aren’t erasing old data when new payment applications are purchased or are failing to train their employees in proper handling and storage of card data.
Improper storage of payment card information “remains surprisingly widespread even with increasing industry emphasis on the need for compliance with PCI DSS regulations,” Caldwell says.