Card data…it’s hiding on your network.

Wenlock Free, SecurityMetrics Stephen W Orfei, PCI Security Standards Council
By: Wenlock Free and Stephen W. Orfei
This article was originally featured as an Electronic Transactions Association guest blog.

How many news stories have you seen in the past 12 months about major brands in the retail, hospitality, and entertainment industries losing their payment card data? Chances are it’s more than you can count on both hands.

It’s also true that almost any company, including yours, could be in that same situation in the next 12 months. According to a PricewaterhouseCoopers study, 42.8 million cyber attacks are expected this year. Even an average hacker can find credit card data in unexpected and unprotected places.

credit card data storageResearch shows that basic security measures can protect you against hacks 99.9 percent of the time. The PCI Data Security Standard (PCI DSS) covers these basics and much more. It has been developed by industry experts and stands the test of time. Unfortunately, according to Fortinet, 1 in 5 small and medium business retailers are not PCI DSS compliant.

One key part of the standard in which many merchants fail is PCI DSS Requirement 3, “render [primary account number data] unreadable anywhere it is stored.”

Unintentional hidden credit card information

Many businesses that store encrypted card data may not be aware of just how often data is left in its unencrypted form. According to 2015 data from SecurityMetrics, 61 percent of businesses store unencrypted payment card data and 7 percent store track data. Both actions are completely against the PCI standard.
For those who don’t think they even have sensitive data on their network, it’s a big surprise to learn how payment card data leaks in a system.
SEE ALSO: Unencrypted Card Data: A Security Plague

Let’s walk through a simple checklist of the common hidden credit card data storage places in your network.
  • Error logs are one of the most common places unencrypted credit card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated—and these logs frequently contain the full credit card data in plain text.
  • Accounting departments typically have processes for balancing books, processing refunds, and charge reversals that store unencrypted credit card data in files on employee workstations, files stored on shared network file servers, or as printed media.
  • Sales departments may have emailed or printed forms containing credit card numbers.
  • Marketing departments may have databases containing transaction data used for market research.
  • Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.
  • Administrative assistants may create a spreadsheet that contains a company or executive’s credit card number for quick access when making payments.
Where is your credit card dataAfter locating stored credit cards, merchants often try deleting this data by emptying their computer’s trash icon. Unfortunately, emptying a trash icon doesn’t permanently delete its contents. To properly delete, you must erase (repeatedly overwrite) the file from your disk drive.

The sad truth is, if a merchant stores unencrypted payment cards at the time of the breach, whether knowingly or unknowingly, she or he may pay hefty fines and lose the confidence of customers.

SEE ALSO: Is Your Credit Card Data Leaking?

When people are vigilant in applying the security controls outlined in the PCI DSS to their business, it makes the life of an attacker more difficult. A secure organization has no hidden credit card information to steal. Attackers are forced to move on to much easier pickings.


Protect yourself against unencrypted credit card data storage

The first step to protecting card data is knowing where it is. A great starting point is mapping out a dataflow diagram showing all locations and flows of cardholder data (as required in PCI DSS Requirement 1), to easily identify which systems require protection.

Today’s technology also offers many user-friendly software tools and solutions, such as SecurityMetrics PANscan®, that can assist you in identifying where cardholder data resides on your systems. After running the software, you can take the steps necessary to become PCI DSS compliant by removing or encrypting the unencrypted payment card data on your network. Remember, if you don’t need it, don’t store it!

As always, when working with vendors to determine which tool is right for you, it’s important to keep in mind not all are created equal. Do your homework beyond reading claims that say they are PCI DSS experts. Of course at the end of the day, not even the best technology can substitute the need for vigilance when it comes to securing your business.

2014 will be remembered as the year that data breaches became a board room topic. What will 2015 hold for your company?

Wenlock Free is vice president of strategic partnerships for SecurityMetrics, combining a background in international sales and marketing with over twenty years experience in the data security and training industries.

Stephen W. Orfei is general manager for the PCI Security Standards Council. A recognized industry expert in global payment platforms, e-commerce, mobile payments, transit and cybersecurity, he has more than 20 years of experience developing and delivering complex global payment solutions.

PCI DSS Learning Center

2 comments:

  1. We can always mandate as per internal corporate policy and external PCI Security Standards Controls that multi tiered DLP is required to be deployed, be active and be set to investigate all devices in the network such as NAS, cloud, mail, endpoints, servers, databases etc...meaning the merchant or service provider MUST prove and validate what the CDE is for their environment.

    No merchant or service provider should be allowed to pass an assessment with an onsite QSA or via self assessment without providing this evidence to the bank and PCI Council for their review. NO ROC or SAQ should be accepted without this information.

    ReplyDelete
  2. we should use the modern technique for the payment like secure pin or 3D verification security. new payment terminals supported for EMV (chip and pin) payment cards. from the mag cards it's very easy to clone sensitive card data.

    The secure certificate should be use in the payment terminal for the data scheming during transmission, it will also prevent to appear sensitive card data on the server LOGS.

    ReplyDelete