61% of Merchants Still Store Unencrypted Payment Card Data

PANscan's 2016 study finds over 200 million payment cards . . . and it's not getting much better

Feb 09, 2016, 08:07 ET from SecurityMetrics

OREM, Utah, Feb. 9, 2016 /PRNewswire/ -- Businesses continue to struggle with the prohibited storage of unencrypted customer payment data. In its fifth study on unencrypted card data, SecurityMetrics' patented card discovery tool PANscan® found that 61% of businesses store the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN).

In the Payment Card Industry Data Security Standard (PCI DSS) 3.0, merchants are instructed that, "Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection" in PCI DSS Requirement 3.

And yet in six years, PANscan has found more than 1.4 billion unencrypted card numbers on business networks. Fortunately, in the past few years, the amount of merchants storing unencrypted card data has gone down from 63% to 61%.

The study revealed that PANscan scanned 276,584 GB of data on 4,703 computers and found:

  • A total of 213,930,199 unencrypted payment cards
  • 61% of businesses store unencrypted PAN data, the same percentage as 2015's study
  • 10% of businesses store full magnetic stripe data, including PIN, CVV, service code, expiration date, cardholder name, and PAN
  • An average of 45,488 payment cards per computer

"The trend is encouraging in general, but there is still a long way to go," said Bill Davis, Director of Product Management at SecurityMetrics. "It surprises me that track data continues to be a problem. That's the Holy Grail for hackers."

Card data discovery tools like PANscan simplify the process of identifying and directing users to unencrypted card data. View the infographic (http://info.securitymetrics.com/whats-causing-you-to-store-unencrypted-payment-cards) to learn more about the study, or contact a SecurityMetrics representative at compliance@securitymetrics.com or 801.705.5665 to learn more about PANscan.

About SecurityMetrics (www.securitymetrics.com)
SecurityMetrics protects electronic commerce and payments leaders, global acquirers, and their retail customers from security breaches and data theft. The company is a leading provider and innovator in merchant data security, and as an Approved Scanning Vendor and Qualified Security Assessor, has tested over 1 million payment systems for data security and compliance. Among other things, SecurityMetrics offers PCI level 4 compliance programs, PCI audits, mobile device vulnerability scanning, penetration testing, and forensic analysis. Founded in October 2000, SecurityMetrics is a privately held company headquartered in Orem, Utah, USA.

If you have any questions, contact us at pr@securitymetrics.com.

Logo - http://photos.prnewswire.com/prnh/20140225/SF71790LOGO


SOURCE SecurityMetrics