How Much Credit Card Data do You Store? (It's More Than You Think.)

See the unencrypted storage results from SecurityMetrics’ PANscan from 2015

Check out the infographic, What’s Causing You to Store Unencrypted Payment Cards?‍

Did you know you could be storing unencrypted payment card data? According to SecurityMetrics’ latest PANscan reports, 61% of merchants store unencrypted card data, and 10% store magnetic stripe data. Because of this lack of security, many merchants can be held liable in a data breach. The more unsecured data you store, the more people you have to pay after a data breach.

See also: How Much Does a Data Breach Cost Your Organization?

What kind of data are you storing?

You’d be surprised how much data you store from a credit card. There are two main types of data hackers go after on a credit card:

• Primary Account Numbers (PAN): These are the account numbers on the credit card itself.
• Magnetic stripe data: This can include PIN numbers, CVV codes, service code, expiration dates, and cardholder names.

All of this data is sensitive information and valuable to customers. If you’re not securely storing this kind of data, it’s free game for data thieves.

See also: A Hacking Scenario: How Hackers Choose Their Victims

See also: SecurityMetrics PCI Guide

Why is storing this data bad?

Keeping unsecured credit card data makes you more liable in a data breach. An attacker can get access to your servers and steal any unencrypted data. If that data is a bunch of credit card numbers, you’re facing a huge data breach, which is costly to your business and your customers.

See also: Unencrypted Data: A Security Plague‍

Another issue is storing unencrypted credit card data is a violation of PCI DSS requirement 3, which requires companies to protect stored cardholder data. This includes keeping cardholder data storage to a minimum and properly securing any cardholder data you do store.

If you want to become PCI compliant, you need to stop storing unencrypted credit card data.

How Does a Firewall Protect a Business?

Many merchants don’t even realize they’re storing this kind of data. The key to addressing the problem is properly tracking and securing credit card data your business handles.

Here are some tips to find and secure payment card data:

• Interview employees: Find out how your departments deal with card data: where do they store data, how do they process it?
• Make a card flow diagram: You can’t secure your data if you don’t know where it is. Make a diagram to see how credit card data is entered, stored, and transmitted in your company.
• Consider data storage: How much do you need to store card data? If it’s not crucial to your business, don’t store it.
• Limit access: Only authorized personnel should have access to systems that store sensitive data.
• Use tokenization: Tokenization can help you get rid of storing credit card data altogether by using tokens instead of Primary Account Numbers.
• Use P2PE validation: Encrypting your data will keep it safe from attackers. Implement a P2PE process.
• Have network segmentation: Keep systems that store, process, and transmit credit card data separate from other systems.

See also: Do You Know Where You Store Card Data?

‍Are we improving?

‍Merchants are slowly getting better at securing credit card data. (The number of merchants storing unencrypted card data has gone from 63% in 2013 to 61% in 2015.)

However, compared to the growth of cybercrime, we’re not improving fast enough. If merchants want to be secure and PCI compliant, finding and securing unencrypted credit card data is crucial.

Today, hackers are getting smarter and quicker. You can’t afford anymore to not know where your business is storing credit card data.

Want to see more data from SecurityMetrics’ PANscan? Check out the infographic below!