63% of businesses don't encrypt credit cards

PANscan® finds that lack of payment card security continues to plague business world

Jul 16, 2014, 11:18 ET from SecurityMetrics

OREM, Utah, July 16, 2014 /PRNewswire/ -- In its third study on unencrypted card data, SecurityMetrics' 5-year-old patented card discovery tool PANscan® found that 63.86% of businesses store the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN). SecurityMetrics also found 7% of businesses store the magnetic stripe data on the back of credit cards.

"Because of its value on the black market, unencrypted card data, is essentially just a $50 bill lying on the sidewalk, waiting for a hacker to pick it up," said SecurityMetrics Director of Forensic Investigations, David Ellis. "Unencrypted card data is the 'low hanging fruit' that is ripe for easy picking, and it's what attackers first look for when they hack a business."

During its 2014 study, PANscan scanned 145,144 gigs of data on 2,590 computers and found:

  • A total of 87,206,203 unencrypted payment cards
  • 63.86% of businesses store unencrypted PAN data
  • 7.37% of businesses store full magnetic stripe data, including PIN, CVV, service code, expiration date, cardholder name, and PAN

Since its introduction, PANscan has found more than 780 million unencrypted card numbers on business networks. That's more than 2.5 cards for every one person in the United States.

"Unencrypted card data can easily occur at both small and large retail locations," said Gary Glover, Director of Security Assessment. "It may accidentally be saved on point of sale terminals, office workstations, hard drives, etc. due to misconfigured software, improper file removal, or restored backups."

Card data discovery tools like PANscan simplify the process of identifying and directing users to unencrypted card data. View the infographic (http://info.securitymetrics.com/panscan-infographic) to learn more about PANscan, or contact a SecurityMetrics representative at compliance@securitymetrics.com or 801.705.5665.

About SecurityMetrics (www.securitymetrics.com)
SecurityMetrics protects electronic commerce and payments leaders, global acquirers, and their retail customers from security breaches and data theft. The company is a leading provider and innovator in merchant data security, and as an Approved Scanning Vendor and Qualified Security Assessor, has helped over 1 million organizations manage PCI DSS compliance and/or secure their network infrastructure, data communication, and other information assets. Among other things, SecurityMetrics offers PCI level 4 compliance programs, PCI audits, mobile device vulnerability scanning, penetration testing, and forensic analysis. Founded in October 2000, SecurityMetrics is a privately held company headquartered in Orem, Utah, USA.

Logo - http://photos.prnewswire.com/prnh/20140225/SF71790LOGO

SOURCE SecurityMetrics