By Brand Barney
Despite years of warnings from the payments industry, numerous companies, large and small, still store unencrypted customer credit and debit card information. In our 2105 annual study of thousands of business networks, SecurityMetrics found 61 percent continue to store customers' 16-digit credit card numbers, known as primary account numbers (PANs). Compared with our research last year, this is a mere 2 percent decrease.
Examining data from more than 3,600 computers, we also found:
Card details can remain undetected on information technology (IT) infrastructures in many ways. For example, transaction logs sent back from banks, browser caches and email duplications can hold sensitive card data. Error logs are a common place where unencrypted card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated. These can contain full credit card data in plain text. Most often, unencrypted credit card data isn't properly protected simply because the business isn't aware it exists. How can you protect what you don't know you have?
Unencrypted card data can be found in various departments across an organization. Accounting departments, for instance, typically have processes for charge reversals that may involve storing unencrypted card data in files on employee workstations. Sales and customer service departments may have emailed or printed forms containing credit card numbers.
Many in the payments industry assume that once Europay, MasterCard and Visa (EMV) terminals become mandated on Oct. 1, 2015, they will solve the problem of unencrypted card data at the swipe terminal. Unfortunately, they're wrong. EMV-enabled technology will assist in reducing fraud for card-present transactions. However, while this technology is advanced, EMV-enabled payment terminals can still be used to accept transactions using a mag-stripe swipe process. Thus, an opportunity remains for misconfigured hardware and software to inadvertently capture and store full track data.
First, routine checks (to see if card data is being stored) should be as frequent as anti-virus checks. Next, realize that IT departments cannot manually locate the data themselves. Fortunately, a number of cutting-edge tools can locate unencrypted card data in a matter of minutes. Many such solutions can simplify the process of identifying and directing users to unencrypted card data.
Here are further tips on how to better secure customer credit card data:
Merchants must understand that the most secure payment method is point-to-point encryption, or P2PE. P2PE encrypts account numbers at the credit card terminal and sends the encrypted data directly to the payment processor for decryption. P2PE eliminates the risk of a breach because cardholder data is never in a merchant's system, even from the start.
Storing unencrypted payment card data remains a very real threat that you and your merchants must address now.
Brandon Barney is a Security Analyst for SecurityMetrics and holds CISSP, QSA, and HCISPP certifications. With over 10 years of compliance, data security and database management experience, Barney is responsible for auditing and consulting companies on their data security and compliance. He can be reached at email@example.com. For more details SecurityMetrics' annual study, visit http://info.securitymetrics.com/panscan-infographic-2015.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next