New research shows 61% of businesses store the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN). Also, EMV-enabled payment terminals can still be used to make a payment transaction using an optional mag stripe swipe process, which means there’s still an opportunity for misconfigured software to inadvertently capture and store full track data.
UT-based SecurityMetrics’ patented card discovery tool PANscan found more than 1.2 billion unencrypted card numbers on business networks over the past five years.
The Company notes unencrypted storage continues to be an issue among merchants, even with new technologies like EMV. Also, protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection in PCI DSS Requirement 3.
The most recent study revealed that PANscan scanned 204,332 GB of data on 3,627 computers and found:
• A total of 332,263,315 unencrypted payment cards
• 61% of businesses store unencrypted PAN data, a decrease of 2% since 2014’s study
• 7% of businesses store full magnetic stripe data, including PIN, CVV, service code, expiration date, cardholder name, and PAN
• An average of 91,608 payment cards per computer
SecurityMetricsI expect says the trend of unencrypted card data storage will steadily, but slowly decline each year. The sooner businesses implement point-of-sale encryption technology like P2PE (encrypt at swipe), the sooner stored unencrypted data will become a thing of the past.
For more data on PAN Security access CardData®. For information and commentary on PAN Security visit the searchable CardFlash® Library of more than 58,000 articles published since 1995. RAM Research® forecasts on PAN Security are available exclusively through CardWeb.com.®