A look inside the widespread storage of payment card data.

Gary Glover, Director of Security Assessment
By: Gary Glover
This article was also featured in the 2014 HITEC Special Report

I have a few major concerns for payment security at the hospitality level, such as remote access vulnerabilities and wireless insecurity, but nothing compares to the anxiety I feel about the widespread storage of unencrypted payment card data.

Unencrypted payment card data is the information on a credit/debit card (16-digit account number, service code, cardholder expiration date, etc.) that criminals use to fraudulently duplicate customer payment cards.

SEE ALSO: PCI DSS Requirement 3: What You Need to be Compliant

The Danger of Storing Unencrypted Cards infographic
According to 2015 PANscan® data, 61% of businesses store unencrypted payment card data, which is 100% against the Payment Card Industry Data Security Standard (PCI DSS). In addition to finance and retail, hospitality is one of the top three industries hackers target for unencrypted card data.

If hackers manage to compromise a network, they look for something easy to steal. Because it exists in an unprotected state, unencrypted payment card data is relatively simple for a hacker to detect, scoop up, and steal.

SEE ALSO: The Do’s and Don'ts of Storing Card Data

Even with its short history, card discovery has come a long way

Whether because of recent PCI DSS emphasis, or because of recent high-profile compromises, more organizations are concerned with payment security. The current trend, and most effective way to identify this dangerous unencrypted information is to use a card discovery tool. Depending on the vendor, these inexpensive (sometimes free) software tools alert users on the location of discovered card data so it can be securely deleted. Many tools are advanced enough to look through improperly deleted files and restored computer backups.

The life of payment card discovery software began with command-line interface, only accessible by those who knew regular expression search notation (like a search formula). Used by forensic investigators and security hobbyists, it wasn’t until recently that this type of data search software got a user-friendly face-lift and really took off.

Over the past few years, this software has evolved to scan quicker, find cards easier, and diminish system overload. For example, some card tools like PANscan use delimiter scanning to exclude 16-digit strings with special or alpha characters, which enables scans to run faster.

One limitation of card data software is that its reach does not extend to physical card data storage. I know many hotels scan, print, and keep customer credit cards in big binders in the office for easy and recurring room reservations. Even though it’s not electronic, storing cards in this manner is still very much against the PCI DSS, if not properly secured or masked.

Storing accidentally vs. storing on purpose

If I could give a short-term goal to the hospitality industry, it would be to find and securely delete the improperly secured card data residing in back-office spreadsheets, property management, and point of sale (POS) systems.
Unlike encrypted data that is saved on purpose for charge reversals or recurring payments, some property management and POS systems accidentally store unencrypted data due to hardware/software misconfiguration.

I conducted a resort audit recently and found 1.2 million (that’s right, million) records of unencrypted card data. The resort managers were shocked at the liability those 1.2 million cards represented.
Usually, large amounts of stored numbers occur because of errors in hardware or software set up.

Spreadsheets filled with card numbers are also prohibited, but more easily addressable. While property management or POS software often requires complex configuration changes, purposeful storage of data in spreadsheets or text files merely requires a new process and employee training. I regularly find thousands of unencrypted credit cards in spreadsheets in the accounting and guest/owner services departments. Even though thousands of cards are at risk, all management has to do is securely delete the spreadsheet and conduct employee training to ensure it doesn’t occur again.

SEE ALSO: Is Your Credit Card Data Leaking?

Future elimination of stored, unencrypted card data

The trend of unencrypted card data is extremely similar to other security issues I see in hospitality. Whether it’s default passwords, remote access vulnerabilities, wireless insecurity, or unencrypted card data, people are simply unaware of simple security blunders that considerably increase business liability.

In most cases, owners and managers don’t blatantly ignore security requirements. They just don’t know about them, and their software or IT teams are so busy supporting normal business functions that they also fail to catch problems.

Ultimately, a lack of simple security understanding is a key reason unencrypted card data remains so pervasive. Down the road, I hope to see card data discovery tools used in everyday business security.

The upcoming EMV mandate required by Visa and MasterCard requires all businesses to implement EMV-enabled payment solutions. Although EMV will help reduce other security-related issues, it is not designed to alleviate unencrypted card storage issues. EMV systems still need access to the unencrypted credit card data during the dip or swipe process, which means there is an opportunity for misconfigured software to inadvertently capture and store unprotected data.

However, once businesses begin implementing Point-to-Point Encryption (P2PE) card processing solutions, we should see a dramatic reduction in unencrypted card data. P2PE encrypts card information immediately upon a customer’s swipe or dip, so there is no chance of stored, unencrypted data. Unfortunately, P2PE does nothing for storage of unencrypted data outside of the payment environment (e.g., spreadsheets created in the back office.)

I don’t believe unencrypted card data will ever go away completely, but hope to find fewer instances in the hospitality industry in the future.

Watch this webinar for more tips on how to avoid an attack on business data:

Was this post informative? If so, please share!

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.