The merchants participating in the test ranged in size from small Level 4 merchants to the largest Level 1 merchants.
Of 478 card data scans conducted during the beta test, 303, or 63.4%, uncovered unencrypted card data, SecurityMetrics says. The tests found about 18 million cards in a scan of 67.5 million files. The maximum number of cards uncovered in a single scan totaled 1.9 million.
SecurityMetrics says it’s impossible to identify the PCI status of the merchants storing unencrypted card data since the PANscan tool is available to anyone for free download and use. Merchants weren’t asked whether they were in compliance with PCI.
Many merchants are unaware that their systems are storing the unencrypted data, says Brad Caldwell, chief executive of SecurityMetrics. “One of the biggest things we hear from merchants is ‘I had no idea I had this data. I talked to my developer and he didn’t say he was storing card data,’” Caldwell says.
