Guest Analysis: Make Life Hard for Payment Card Thieves

Joe Dufrey

Small businesses should dissuade hackers through card discovery

October 2, 2013 – There’s no such thing as a hacker-proof business. From multinational corporations down to the smallest mom-and-pop, every organization is a potential victim of payment card theft. However, because they typically lack the IT know-how and security budget of their larger counterparts, small and medium businesses are easy targets for cybercriminals.

Does that mean businesses should give up? Absolutely not. Through modern security controls and compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), small businesses have the power to make their valuable objects (in this case, customer payment card data) as hard to access as possible.

Because intelligent cybercriminals repeatedly adapt to security protections, staying one step ahead will establish your business as a difficult target and warn would-be-hackers you’re more trouble than it’s worth. Here’s the first tip I give to every business, large or small, that helps them take that initial security step.

Don’t store unencrypted card data in the first place

Unprotected payment card data (i.e., primary account number, cardholder information, expiration date, or three-digit service code), may be stored behind the scenes of your payment network, leaving data readily available for criminals to steal. Storing this data in its unencrypted state is against the PCI DSS and could also result in merchant processor noncompliance fines.

Even if you think your business doesn’t store it, it’s wise to double check. According to SecurityMetrics’ 2012 Payment Card Data Threat Report, 71% of businesses store unencrypted card data, often unknowingly.

Where is the unencrypted payment data?

Unencrypted payment card data may accidentally be saved on POS registers, web servers, customer service workstations, hard drives, and USB drives. Oftentimes, accidental storage occurs because files are improperly removed, previous versions of software were improperly configured, or computer backups restore files that were previously deleted. The extent of accidental storage makes manual file-by-file discovery nearly impossible.

Unencrypted card data also hides in places outside of the typical card transaction environment. For example, accounting departments have been known to gather card numbers for charge reversals on shared network servers.

The easiest way to find and delete unwanted payment data

It is possible, but not recommended, to manually search for unencrypted card data. However, it’s easy to forget or miss hidden card data through manual discovery. The easiest and most resource-friendly way to find unencrypted payment data is by using a card data discovery tool. These inexpensive and often free tools alert you of the location of card data so you can securely delete it.

Card data storage can be pervasive, especially in mature companies where data has been handled for a long time and payment processes have changed over the years. Use discovery tools periodically in areas where you may not think data resides. It’s recommended to assign a person to take charge of card data removal and conduct regular scans.

Why go through the trouble?

Hackers can’t steal what isn’t there. By using card data discovery technology and securely deleting the data it finds, you turn the eye of hackers away from your business and onto easier targets. Remember that data discovery must be a proactive and on-going process to successfully prevent unwanted loss of card data.

[spacer height=3] [divide] [spacer height=3] Joe Durfey has helped hundreds of businesses secure their systems from data compromise using SecurityMetrics PANscan. PANscan is a free tool that discovers unencrypted card data on business networks. Learn more or download at www.securitymetrics.com/panscan

The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.