Study finds 330 million payment cards 'in the clear'
In its fourth study on unencrypted card data, the PANscan card discovery tool from PCI specialist SecurityMetrics found that 61 percent of businesses store the unencrypted 16-digit primary account number on the front of credit cards.
Version 3.0 of the Payment Card Industry Data Security Standard 3.0, states that, "Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection."
However SecurityMetrics said in a press release that in just five years PANscan has found more than 1.2 billion unencrypted card numbers on business networks.
"Unencrypted storage continues to be an issue among merchants, even with new technologies like EMV," said Gary Glover, director of security assessment at SecurityMetrics. "EMV-enabled payment terminals can still be used to make a payment transaction using an optional mag stripe swipe process, which means there's still an opportunity for misconfigured software to inadvertently capture and store full track data."
For the study PANscan scanned 204,332 gigabytes of data on 3,627 computers and found:
- a total of 332,263,315 payment cards were unencrypted;
- 61 percent of businesses store unencrypted PAN data, a decrease of 2 percent since the 2014 study;
- 7 percent of businesses store full magnetic stripe data, including PIN, CVV, service code, expiration date, cardholder name, and PAN; and
- on average, each computer scanned held 91,608 stored payment cards.