Blog
Data Discovery
Storing Unencrypted Credit Card Data: 2021 PANscan® Data Analysis

Storing Unencrypted Credit Card Data: 2021 PANscan® Data Analysis

Card data discovery is an important part of payment data security and complying with PCI DSS requirement 3. If you are going to store credit card data, you’ll need to know where it is captured, where it is stored, where it is transmitted, and where it is received.

Updated
October 2, 2023
Posted
June 3, 2021
Security Tools
Scoping
Storing Unencrypted Credit Card Data: 2021 PANscan® Data Analysis

Can a business store unencrypted credit card data?

Yes. Although it is best to avoid storing unencrypted card data in the first place, PCI DSS requirement 3 gives guidelines on how to protect unencrypted payment card data.

Card data discovery tools and processes

Card data discovery is an important part of payment data security and complying with PCI DSS requirement 3. If you are going to store credit card data, you’ll need to know where it is captured, where it is stored, where it is transmitted, and where it is received. The process for visually mapping out these data flows is done through a card data flow diagram.

A card data flow diagram visually shows where PAN enters, leaves, and is stored, and can help identify the scope of the card data environment (i.e., the area that needs to be secured and follow the PCI DSS). The card data flow diagram is also helpful in identifying whether credit card data is found in unexpected locations which may not be represented in a card flow diagram. You can walk through the card data flow diagram and ask questions at each point in the process to confirm that credit card information isn’t leaking or stored where it shouldn’t be.

For example, if you receive credit card information on a form over fax, you can ask “is that form also saved on a fax server or sent over email?” If you capture credit card information on a hosted payment page then you could ask “could credit card information have been errantly entered into the name field or even the zip code field?” Combining a data flow diagram with employee interviews and periodic system scans for PAN data can be a valuable way to confirm that processes for handling credit card data are accurately understood and documented.

Some common reasons businesses unknowingly store PAN, PIN, and CVV include:

  • Employees unaware of card data storage policies
  • Misconfigured payment processing applications
  • Old data found on recently purchased payment processing applications
  • User form field input error where users enter credit card data into the wrong field whose data may be placed in non-CDE databases
  • Legacy card data flows that have been discontinued but not purged from databases, email, and fax servers
  • Paper copy archives of cardholder data that has the PAN marked out but not the CVV

Since 2010, SecurityMetrics PANscan® has discovered about 2.9 billion unencrypted primary account numbers (PAN) on business networks. Storage of unencrypted payment card data increases your organization's risk and liability in the event of a data breach.

This infographic examines user results of PANscan from 2020 and compares it to previous years.

2020 STATISTICS

  • 237,279 GBs scanned
  • 74% Store unencrypted PAN data
  • 5% store track data (data inside magnetic stripe)
  • Over 429 million cards found

PERCENTAGE OF USERS STORING UNENCRYPTED CARD DATA

Storing any unencrypted card data, especially track data, is a violation of the Payment Card Industry Data Security Standard (PCI DSS) and makes it easier for a criminal to steal data.

  • 2017: 69%
  • 2018: 85%
  • 2019: 88%
  • 2020: 74%

COMMON PAYMENT CARD DATA HIDING PLACES

Due to poor processes and/or misconfigured software, payment card data can leak into networks, even those that shouldn't store sensitive data. Here are common places to look for hiding payment card data:

  • Error logs
  • Accounting departments
  • Sales departments
  • Marketing departments
  • Customer service representatives
  • Administrative assistants

7 Tips to find and Secure Cardholder Data

  1. INTERVIEW EMPLOYEES
    Find out how your various departments interact with card data.
  2. CARD FLOW DIAGRAM
    Know where and how card data interacts through your system.
  3. RUN SOFTWARE
    Run a card data discovery tool to search for unencrypted card data.
  4. PROTECT DATA
    Properly remove and/or encrypt card data.
  5. LIMIT ACCESS
    Only authorized personnel should have system access.
  6. CONSIDER DATA STORAGE
    If you don't need to, stop storing card data.
  7. NETWORK SEGMENTATION
    Reduce the number of systems that store, process, or transmit card data.

Join Thousands of Security Professionals.

Subscribe Now

Free Security Course

View Course

Get Quote for Card Data Discovery

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000