A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

August 24, 2015 • Issue 15:08:02

Endemic lack of protection for card data in stores

By Brand Barney

Despite years of warnings from the payments industry, numerous companies, large and small, still store unencrypted customer credit and debit card information. In our 2105 annual study of thousands of business networks, SecurityMetrics found 61 percent continue to store customers' 16-digit credit card numbers, known as primary account numbers (PANs). Compared with our research last year, this is a mere 2 percent decrease.

Examining data from more than 3,600 computers, we also found:

  • A total of 332,263,315 payment cards unencrypted
  • An average of 91,608 payment cards per computer
  • 7 percent of businesses storing full mag-stripe data, including PIN, card verification value, service code, expiration date, cardholder name, and PAN

What you don't know can hurt you

Card details can remain undetected on information technology (IT) infrastructures in many ways. For example, transaction logs sent back from banks, browser caches and email duplications can hold sensitive card data. Error logs are a common place where unencrypted card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated. These can contain full credit card data in plain text. Most often, unencrypted credit card data isn't properly protected simply because the business isn't aware it exists. How can you protect what you don't know you have?

Unencrypted card data can be found in various departments across an organization. Accounting departments, for instance, typically have processes for charge reversals that may involve storing unencrypted card data in files on employee workstations. Sales and customer service departments may have emailed or printed forms containing credit card numbers.

Something else to chew on

Many in the payments industry assume that once Europay, MasterCard and Visa (EMV) terminals become mandated on Oct. 1, 2015, they will solve the problem of unencrypted card data at the swipe terminal. Unfortunately, they're wrong. EMV-enabled technology will assist in reducing fraud for card-present transactions. However, while this technology is advanced, EMV-enabled payment terminals can still be used to accept transactions using a mag-stripe swipe process. Thus, an opportunity remains for misconfigured hardware and software to inadvertently capture and store full track data.

What's the solution?

First, routine checks (to see if card data is being stored) should be as frequent as anti-virus checks. Next, realize that IT departments cannot manually locate the data themselves. Fortunately, a number of cutting-edge tools can locate unencrypted card data in a matter of minutes. Many such solutions can simplify the process of identifying and directing users to unencrypted card data.

Here are further tips on how to better secure customer credit card data:

  • Limit storage: Set limits when it comes to storage of card data; only do it when absolutely necessary.
  • Run software: Utilize card data discovery software on your computer networks and servers frequently to expose unencrypted card data and identify storage sources.
  • Patch leaks: Once storage sources are discovered, patch the leak as soon as possible.
  • Remove data: Securely remove or encrypt discovered card data.
  • Don't just delete, erase: After locating stored credit cards, merchants often try deleting this data by emptying their computer's trash icon. Emptying your trashcan doesn't permanently delete its contents. To actually delete, erase (repeatedly overwrite) the file from your disk drive. Software programs have been created specifically for this.
  • Schedule scans: In addition to regularly scheduled internal and external vulnerability scans, run card data discovery software after any changes to your payment processes.

Merchants must understand that the most secure payment method is point-to-point encryption, or P2PE. P2PE encrypts account numbers at the credit card terminal and sends the encrypted data directly to the payment processor for decryption. P2PE eliminates the risk of a breach because cardholder data is never in a merchant's system, even from the start. 

Storing unencrypted payment card data remains a very real threat that you and your merchants must address now.

end of article

Brandon Barney is a Security Analyst for SecurityMetrics and holds CISSP, QSA, and HCISPP certifications. With over 10 years of compliance, data security and database management experience, Barney is responsible for auditing and consulting companies on their data security and compliance. He can be reached at brandon@securitymetrics.com. For more details SecurityMetrics' annual study, visit http://info.securitymetrics.com/panscan-infographic-2015.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing