Study: 71% of Merchants Scanned Were Storing Unencrypted Data

by Mercator Advisory Group 0

PCI solutions vendor SecurityMetrics has released its Second Annual Payment Card Threat Report, and the results aren’t pretty. Nearly three-quarters of the merchants signed up with the firm in the last year for PCI scanning services were storing unencrypted payment card data. Merchants are obligated to scan point-of-sale systems both online and in physical stores on an annual basis under PCI compliance regulations. Of the total number of merchants storing card data without proper safeguards, over half were in the financial services/insurance, hospitality, and retail segments.

Quotes given to ISO & Agent are from Greg Johnson, SecurityMetrics manager of strategic channel relationships.

SecurityMetrics put together the stats from scans of 2,754 machines, mostly point of sale systems, Johnson says.

It offers a product called PANscan that detects unencrypted data and reveals its location to users so they can delete it.

Getting rid of the unencrypted data requires a “secure delete” because a regular delete leaves it in a computer until something else overwrites it, Johnson notes. To securely delete something, a computer must proactively write new data in the place where the old data was stored.

Encrypting card numbers and ridding a system of unencrypted data helps prevent criminals from using the information to commit fraud, he says.

So-called “crimeware toolkits” now available online can make it easy for thieves to capture and use the encrypted data, Johnson says.

Click here to read more from ISO&Agent Weekly.