No lessons learnt – 61% still store unencrypted payment data

Despite high profile incidents of storing unencrypted customer payment data, a study from SecurityMetrics has found that 61%of businesses still store the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN).

SecurityMetric’s PANscan tool scanned 204,332 GB of data on 3,627 computers and found that there are 332,263,315 unencrypted payment cards.

Though the number of unencrypted PAN data has dropped 2% since 2014, 7% of businesses still store full magnetic stripe data, including PIN, CVV, service code, expiration date, cardholder name, and PAN.

SecurityMetrics Security Assessment director Gary Glover said, "Unencrypted storage continues to be an issue among merchants, even with new technologies like EMV.

"EMV-enabled payment terminals can still be used to make a payment transaction using an optional mag stripe swipe process, which means there’s still an opportunity for misconfigured software to inadvertently capture and store full track data."

Glover added, "I expect the trend of unencrypted card data storage to steadily but slowly decline each year."

"The sooner businesses implement point-of-sale encryption technology like P2PE (encrypt at swipe), the sooner stored unencrypted data will become a thing of the past."

Sign up for our regular news round-up!

Give your business an edge with our leading Tech Monitor

Sign up