GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Checks have staying power, paper not so much

Patti Murphy
ProScribes Inc.


Industry Update

Public, private effort to secure systems, reduce cyber crime

Appeals court revives ATM price-fixing case

Appeals court gives green light to CFPB challengers

First Data opens new chapter


Bridging the EMV divide

The Mobile Buzz: Diners' technology wish list


The very point of sale: Think big, go bold

Dale S. Laszig
DSL Direct LLC

Impact of scale on cost and margin in the U.S. merchant acquiring industry

Brooke Ybarra
First Annapolis Consulting


Street SmartsSM:
The power of residual income - Part 1

Jeffrey I. Shavitz
TrafficJamming LLC

Who wins with AmEx full-service acquiring program?

Ken Musante and Jon Shipley
Eureka Payments LLC, Select Bankcard LLC

Legal ease: Choosing a lawyer for your payment business

Adam Atlas
Attorney at Law

Endemic lack of protection for card data in stores

Brand Barney

Company Profile

AP Technology

New Products

Free online security learning center

SecurityMetrics Learning Center

Business-driven video storytelling

Video Storytelling
Board Studios Inc.


The 'do' in the doldrums


Readers Speak

Letter from the editors

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

August 24, 2015  •  Issue 15:08:02

previous next

Endemic lack of protection for card data in stores

By Brand Barney

Despite years of warnings from the payments industry, numerous companies, large and small, still store unencrypted customer credit and debit card information. In our 2105 annual study of thousands of business networks, SecurityMetrics found 61 percent continue to store customers' 16-digit credit card numbers, known as primary account numbers (PANs). Compared with our research last year, this is a mere 2 percent decrease.

Examining data from more than 3,600 computers, we also found:

What you don't know can hurt you

Card details can remain undetected on information technology (IT) infrastructures in many ways. For example, transaction logs sent back from banks, browser caches and email duplications can hold sensitive card data. Error logs are a common place where unencrypted card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated. These can contain full credit card data in plain text. Most often, unencrypted credit card data isn't properly protected simply because the business isn't aware it exists. How can you protect what you don't know you have?

Unencrypted card data can be found in various departments across an organization. Accounting departments, for instance, typically have processes for charge reversals that may involve storing unencrypted card data in files on employee workstations. Sales and customer service departments may have emailed or printed forms containing credit card numbers.

Something else to chew on

Many in the payments industry assume that once Europay, MasterCard and Visa (EMV) terminals become mandated on Oct. 1, 2015, they will solve the problem of unencrypted card data at the swipe terminal. Unfortunately, they're wrong. EMV-enabled technology will assist in reducing fraud for card-present transactions. However, while this technology is advanced, EMV-enabled payment terminals can still be used to accept transactions using a mag-stripe swipe process. Thus, an opportunity remains for misconfigured hardware and software to inadvertently capture and store full track data.

What's the solution?

First, routine checks (to see if card data is being stored) should be as frequent as anti-virus checks. Next, realize that IT departments cannot manually locate the data themselves. Fortunately, a number of cutting-edge tools can locate unencrypted card data in a matter of minutes. Many such solutions can simplify the process of identifying and directing users to unencrypted card data.

Here are further tips on how to better secure customer credit card data:

Merchants must understand that the most secure payment method is point-to-point encryption, or P2PE. P2PE encrypts account numbers at the credit card terminal and sends the encrypted data directly to the payment processor for decryption. P2PE eliminates the risk of a breach because cardholder data is never in a merchant's system, even from the start. 

Storing unencrypted payment card data remains a very real threat that you and your merchants must address now.

Brandon Barney is a Security Analyst for SecurityMetrics and holds CISSP, QSA, and HCISPP certifications. With over 10 years of compliance, data security and database management experience, Barney is responsible for auditing and consulting companies on their data security and compliance. He can be reached at For more details SecurityMetrics' annual study, visit

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios