Six Out of 10 Merchants Store Unencrypted Payment Card Data

PANscan's 2015 study finds 330 million payment cards…and counting

Mar 24, 2015, 10:00 ET from SecurityMetrics

OREM, Utah, March 24, 2015 /PRNewswire/ -- Businesses continue to struggle with the prohibited storage of unencrypted customer payment data. In its fourth study on unencrypted card data, SecurityMetrics' patented card discovery tool PANscan® found that 61% of businesses store the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN).

In the recently released Payment Card Industry Data Security Standard 3.0 (PCI DSS), merchants are instructed that, "Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection" in PCI DSS Requirement 3.

However, in just five years PANscan has found more than 1.2 billion unencrypted card numbers on business networks.

"Unencrypted storage continues to be an issue among merchants, even with new technologies like EMV," said Gary Glover, Director of Security Assessment at SecurityMetrics. "EMV-enabled payment terminals can still be used to make a payment transaction using an optional mag stripe swipe process, which means there's still an opportunity for misconfigured software to inadvertently capture and store full track data."

The study revealed that PANscan scanned 204,332 GB of data on 3,627 computers and found:

  • A total of 332,263,315 unencrypted payment cards
  • 61% of businesses store unencrypted PAN data, a decrease of 2% since 2014's study
  • 7% of businesses store full magnetic stripe data, including PIN, CVV, service code, expiration date, cardholder name, and PAN
  • An average of 91,608 payment cards per computer

"I expect the trend of unencrypted card data storage to steadily but slowly decline each year," said Glover. "The sooner businesses implement point-of-sale encryption technology like P2PE (encrypt at swipe), the sooner stored unencrypted data will become a thing of the past."

Card data discovery tools like PANscan simplify the process of identifying and directing users to unencrypted card data. View the infographic ( to learn more about the study, or contact a SecurityMetrics representative at or 801.705.5665 to learn more about PANscan.

About SecurityMetrics (
SecurityMetrics protects electronic commerce and payments leaders, global acquirers, and their retail customers from security breaches and data theft. The company is a leading provider and innovator in merchant data security, and as an Approved Scanning Vendor and Qualified Security Assessor, has tested over 1 million payment systems for data security and compliance. Among other things, SecurityMetrics offers PCI level 4 compliance programs, PCI audits, mobile device vulnerability scanning, penetration testing, and forensic analysis. Founded in October 2000, SecurityMetrics is a privately held company headquartered in Orem, Utah, USA.

Logo -


SOURCE SecurityMetrics