63% of Merchant Networks Contain Unencrypted Payment Card Data in Violation of PCI: SecurityMetrics

Detected by Company's Free New PANscan Tool for Merchants

Mar 23, 2011, 11:13 ET from SecurityMetrics, Inc.

SALT LAKE CITY, March 23, 2011 /PRNewswire/ -- Nearly two-thirds of merchant computer systems store unencrypted payment card data in violation of the Payment Card Industry Data Security Standard (PCI DSS), according to scans of more than 475 merchant networks of all sizes by SecurityMetrics. This readable card data leaves merchants liable to fines and other penalties in case of card data compromise.

The presence of prohibited card information in 63% of merchant systems was discovered in beta testing of SecurityMetrics' just-released PANscan  product, a free patent-pending software tool that searches for unencrypted Track 1, Track 2 and Primary Account Number (PAN) data on merchant machines to support PCI DSS compliance efforts.

The test findings indicate a large number of merchants use payment application software that does not conform to the Payment Application Data Security Standard (PA-DSS), fail to configure their payment applications properly, neglect to erase old data when new payment applications are purchased, and/or fail to train their employees in proper handling and storage of card data.

"Improper storage of payment card information puts cardholder data at risk. Our testing suggests that the problem remains surprisingly widespread even with increasing industry emphasis on the need for compliance with PCI DSS regulations," said SecurityMetrics CEO Brad Caldwell. "Proactively looking for unprotected data with a tool like PANscan can help close this security gap and potentially thwart future theft incidents."

Based on proprietary SecurityMetrics forensics technology, the PANscan software is designed for use by any merchant regardless of technical expertise. It:

  • Searches for unencrypted cardholder data on local hard drives, optical drives, network servers and external storage devices, including archive files such as .zip and .gz files where backup information is often stored.
  • Triple-checks results to ensure accuracy, virtually eliminating the false positives common with other scanning products and the associated time required to research and resolve these errors.
  • Runs 10 times faster than a normal disk scan, while also minimizing resource use to avoid interference with everyday business operations.
  • Reports summary results immediately in a popup window when the scan is completed, indicating whether or not the system contains prohibited card data.
  • Allows scans to be performed as frequently as desired on any number of merchant machines.

Merchants enrolled in SecurityMetrics' Site Certification Services receive additional services including no-cost telephone or email support, false positive reconciliation, automatic reporting to their acquirer, and remediation support if violations are uncovered.

Merchants can download PANscan free of charge at https://www.securitymetrics.com/sm/PANscan/.

About SecurityMetrics

SecurityMetrics, Inc. is a leading provider of Payment Card Industry (PCI) Data Security Standard (DSS) security solutions, including the most successful mass-merchant compliance model in the industry. The company is certified to perform PCI Scans (ASV), PCI audits (QSA), Payment Application Data Security Standards audits (PA-QSA), penetration tests and forensic incident response assessments (QIRA). SecurityMetrics also offers a security appliance that includes vulnerability assessment, intrusion detection and intrusion prevention capabilities. SecurityMetrics is a privately held corporation headquartered in Orem, Utah. For more information, contact SecurityMetrics at (801) 724-9600 or visit http://www.securitymetrics.com.

SOURCE SecurityMetrics, Inc.