The lifecycle of customer payment data often includes hidden liability.

David Ellis, Director of Forensic Investigations
By: David Ellis
Payment card information is often found by criminals because it is electronically ‘laying around’ in unprotected form. According to 2015 data, 61% of merchants store unencrypted card numbers, an action in total contradiction with the Payment Card Industry Data Security Standard (PCI DSS).

card data discovery, unencrypted payment data
The question you must consider is: Do you have unprotected credit card data on your point-of-sale or back office systems? While there are numerous methods that hackers use to try to capture your customer credit card data, today’s post will focus on how you can reduce your liability by learning about the hazards of ‘unintended’ credit card storage.

It’s a rule to discover your data

First, the PCI Security Standards Council has clarified that credit card data discovery methodologies should be used at least annually. If hackers find and steal unencrypted credit card data via your weakly guarded network, your business is considered breached. Businesses that store unencrypted card data, knowingly or not, are liable for PCI noncompliance fines and other significant data compromise penalties.




How to know if you store unencrypted credit card data

To conquer data exposure is to know for sure where card data is being used and if/how it’s being stored. Most business owners don’t realize payment card data can potentially be deposited on systems that may not be directly involved in POS transactions.

SEE ALSO: 63% of businesses don't encrypt credit cards

Data may be unintentionally hiding here:

  • Error logs are one of the most common places unencrypted credit card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated—and these logs frequently contain the full credit card data in plain text.
  • Accounting departments typically have processes for balancing books, processing refunds, and charge reversals that may store unencrypted credit card data in files on employee workstations, files stored on shared network file servers, or as printed media.
  • Sales departments may have emailed or printed forms containing credit card numbers.
  • Marketing departments may have databases containing transaction data used for market research.
  • Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.
  • Administrative assistants may create a spreadsheet that contains a company or executive’s credit card number for quick access when making payments.

To discover where your data lies, you should diagram your company’s unique credit card data flow. This is done through interviewing process owners, web developers, your sales force, and all others with access to customer credit card data, then documenting each place credit card data touches.

Let a payment card discovery tool help you search


When you’ve finished documenting your credit card process flow, run a card data discovery scan to electronically test if credit card data is hiding on your systems. A good card data discovery tool will search your systems in places you didn’t even think to look. Credit card data discovery tools identify card data in its various forms and alert you to the storage locations.
payment card discovery tool, PANscan
Once you find unsecured card data, you must then securely remove it with a secure removal tool. (Here’s a hint: don’t just use the delete key—“deleted” credit card data can still be recovered.) Don’t forget to also patch the problem at the source to avoid further storage.

How to keep unencrypted payment card data off your systems

Remember that when cybercriminals hack a payment system, they cannot steal payment data that isn’t there. That’s why it’s important to keep your system clean of stored card data. Unencrypted credit card data has a way of creeping up again where you don’t expect it to be. (Again, we are strictly talking about stored card data in this post. Attack methods will be discussed in subsequent posts).


Assign the responsibility of keeping unencrypted card data off your systems to an individual or team. Have this person define and follow a process of periodic data discovery cycles to recheck systems and make sure they remain free of unprotected card information.

Most importantly, conduct regular scans of your systems using a data search tool to catch any loose ends. Remember that data discovery is an on-going process and should be repeated at least quarterly for best results.

If you liked this post, please share!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.