PCI solutions provider SecurityMetrics has published a study using its own scanning data that finds that 71 percent of merchants scanned stored payment card information that was unencrypted. This reflected “an increase of 8 percent since 2010.” The main reason for the high rate of insecurity, according to the study, is that merchants are most often unaware that they are storing data in the first place. SecurityMetrics recommends that merchants hoping to secure their networks against potential data breaches first understand “where all payment card data touch points are at a business,” allowing “merchants to have tighter control, and less unknown storage.”
“There’s so much going on in the security industry that it’s sometimes difficult to target the most important things,” said SecurityMetrics CEO Brad Caldwell. “We think these findings are a game changer for the security industry, and will help focus priorities on the bigger problem plaguing merchants today. After all, criminals can’t steal card data merchants don’t have.”
In its entirety, the study found over 370 million unencrypted cards on various-sized business and home networks, with the largest amount of payment cards discovered in a single network scan at over 96 million. The study concluded card discovery and deletion is not a one-time event, but must be a part of regular business operation to impact security.
“Today’s business landscape is littered with merchants that don’t know exactly what’s on their system,” said SecurityMetrics Director of Forensic Investigations, David Ellis. “In the majority of cases we’ve investigated, the merchant was unaware their system was storing unencrypted payment card data. Merchants must take responsibility for their customers’ card data, which in turn will benefit worldwide commerce in general.”