PANscan Annual Study 2015

Annual report shows customer payment card data still not protected.

Businesses continue to struggle with their unencrypted storage of customer credit and debit cards. In SecurityMetrics’ fourth annual study, card discovery tool PANscan® found that 61% of businesses store customers’ 16-digit credit card numbers, also known as the Primary Account Number (PAN).
PANscan Annual Study 2015, sensitive data discovery tools

Compared to last year’s study on unencrypted payment card data, that’s only a 2% decrease. When considering the great abundance of hacks and business blunders publicized in 2014-2015, the fact that 61% still store unencrypted payment data is surprising.

In addition to regular business data compromise news stories, a new version of the Payment Card Industry Data Security Standard (PCI DSS 3.1) was officially released in 2015. It’s obvious in both old and new versions that storing unencrypted card data is completely against the PCI DSS.

Apparently this problem is so pervasive that the PCI Council released a white paper explaining basic PCI data storage do’s and don’ts.

Why do businesses struggle with unencrypted payment storage?

Even with new technologies, new emphasis on security, and new mandates, businesses still struggle with the storage of unencrypted card data. Why?

Let’s revisit the stats.

PANscan found an average of 91,608 payment cards per computer. Could it be possible that the average business accidentally stores almost 100k credit cards by accident? Absolutely.
Payment card data can easily leak due to poor processes or misconfigured software.
For example, error logs are one of the most common places unencrypted credit card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated. These logs can contain the full credit card data in plain text.

But unencrypted card data is also found in various departments across an organization. Accounting departments typically have processes for charge reversals that may store unencrypted credit card data in files on employee workstations. Sales departments may have emailed or printed forms containing credit card numbers. Administrative assistants may create a spreadsheet that contains a company or executive’s credit card number for quick access when making payments.

Get the picture?

EMV won’t stop this trend

Many in the payments industry assume that once EMV terminals become mandated on October 1, 2015, they will solve the problem of unencrypted card data.

Unfortunately, they’re wrong.

EMV-enabled payment terminals can still be used to make a payment transaction using an optional mag stripe swipe process, which means there's still an opportunity for misconfigured software to inadvertently capture and store full track data.

The sooner businesses implement point-of-sale encryption technology that encrypts at swipe (like P2PE technology), the sooner stored unencrypted data will become a thing of the past. Read more about P2PE trends in 2015.

How to find unencrypted card data

It’s very unlikely a manual process conducted by a human could locate all unencrypted data on a business network. It would take too much time and manpower.

Luckily, there are card data discovery tools that locate unencrypted card data in minutes.

In just five years, PANscan has found more than 1.2 billion unencrypted card numbers on business networks. Card data discovery tools like PANscan simplify the process of identifying and directing users to unencrypted card data. Download a free trial of PANscan.

Download The Danger of Storing Card Data infographic.
Card Data Discovery