SecurityMetrics Finds Unencrypted Card Data in Two-Thirds of Merchants Scanned

Digital Transactions has an item today about PCI scanning vendor SecurityMetrics’ PANScan tool, which has detected unencrypted card data in nearly two-thirds of merchants that participated in a recent test. The version of PANScan used in the test is available for free download at the SecurityMetrics PANScan Web site. The article pointed to merchants’ use of payment applications that are not compliant with the Payment Application Data Security Standard (PA-DSS), failure to erase old data when new payment applications are installed, and lack of training in proper data storage techniques as the main reasons for the proliferation of unencrypted card data in merchant systems.

The merchants participating in the test ranged in size from small Level 4 merchants to the largest Level 1 merchants.

Of 478 card data scans conducted during the beta test, 303, or 63.4%, uncovered unencrypted card data, SecurityMetrics says. The tests found about 18 million cards in a scan of 67.5 million files. The maximum number of cards uncovered in a single scan totaled 1.9 million.

SecurityMetrics says it’s impossible to identify the PCI status of the merchants storing unencrypted card data since the PANscan tool is available to anyone for free download and use. Merchants weren’t asked whether they were in compliance with PCI.

Many merchants are unaware that their systems are storing the unencrypted data, says Brad Caldwell, chief executive of SecurityMetrics. “One of the biggest things we hear from merchants is ‘I had no idea I had this data. I talked to my developer and he didn’t say he was storing card data,’” Caldwell says.

Click here to read more.