2017 PANscan Study: How to Better Protect Your Card Data
See how much unencrypted card data PANscan found on business networks in 2016.
By: George Mateaki Security Analyst CISSP, QSA |
More businesses store unencrypted card numbers than you think, and the numbers have gone up this year.
According to our 2017 PANscan study, 67% of businesses that used PANscan had unencrypted card data in their networks. Additionally, 5% of businesses stored track data.
PANscan found over 88 million unencrypted cards on business networks in 2016.Let’s compare these statistics to the 2016 PANscan study: Businesses have increased storage of unencrypted card data from 61% to 67%. This is a pretty significant change, especially since the previous years saw numbers like 62% and 60%. But businesses have also decreased storage of track data from 10% to 5%.
Overall, businesses still struggle to keep PAN secure, but they seem to be doing better with track data.
Protecting card data can get tricky sometimes. Here are some ways to better protect your businesses’ stored card data.
SEE ALSO: PCI DSS Requirement 3: What You Need to be Compliant
Don’t store card data
If you can run your business without the need of storing card data, it’s highly recommended. It will help simplify your security process, and reduce your PCI scope greatly. For example, if you store and handle card data, the PCI DSS will require you to fill out SAQ D, which has over 300 questions. If you don’t store card data, you can fill out SAQ A, B, or C, which have less than 100 questions.Some ways to avoid storing card data are to use tokenization or outsource card data handling to a third-party. This will mean that another company will handle your card data. You’ll still need to make sure they follow PCI requirements, but most of the responsibility and liability won’t be on your business.
Remember, the less card data you store, the less you have to worry about.
Monitor your card data flow
Many businesses that store unencrypted card data often don’t realize they’re storing it. Card data can be found in areas you may not initially think about.You should make a card flow diagram that tracks the process your business goes through as it uses, stores, or transmits card data. This will help you see where card data enters and exits your business.
Here are some areas unprotected card data may be unintentionally hiding:
- Printers often store old jobs, which could include card data
- Error logs frequently contain the card number in plaintext during a failed authentication
- Customer service may take card numbers over the phone, so watch for printed card data
- Sales departments may have emailed or printed forms with card numbers
- Web browser cache may store card data inadvertently
Encrypt card data
Your card data should be encrypted when not in use. This keeps your card data safe, even if it should get stolen. It’s recommended you use point-to-point encryption (P2PE) as it encrypts the data from the point of interaction until it’s processed.P2PE prevents non-encrypted card data from existing in the payment environment. Even if a hacker should steal this data, they would only get encrypted card numbers with no way to decode them.
SEE ALSO: Securing Mobile Devices with Mobile Encryption
Implement network segmentation
While network segmentation isn’t required by the PCI DSS, it’s good practice to keep your networks that handle card data separate from your other networks.Whether you do it physically or through a firewall, make sure your systems that store, process, and transmit card data are kept separate from other systems. This reduces your PCI scope, and keeps card data from spreading to unknown areas.
SEE ALSO: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know
Need help with PCI compliance? Talk to us!
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.