Guest Analysis: Protect Yourself from Hidden Card Data
Wenlock Free and Stephen W. Orfei
June 24, 2015 – How many news stories have you seen in the past 12 months about major brands in the retail, hospitality, and entertainment industries losing their payment card data? Chances are it’s more than you can count on both hands.
It’s also true that almost any company, including yours, could be in that same situation in the next 12 months. According to a PricewaterhouseCoopers study, 42.8 million cyberattacks are expected this year. Even an average hacker can find credit card data in unexpected and unprotected places.
Research shows that basic security measures can protect you against hacks 99.9 percent of the time. The PCI Data Security Standard (PCI DSS) covers these basics and much more. It has been developed by industry experts and stands the test of time. Unfortunately, according to Fortinet, 1 in 5 small and medium business retailers are not PCI DSS compliant.
One key part of the standard in which many merchants fail is PCI DSS Requirement 3, “render [primary account number data] unreadable anywhere it is stored.”
Unintentional hidden credit card information
Many businesses that store encrypted card data may not be aware of just how often data is left in its unencrypted form. According to 2015 data from SecurityMetrics, 61 percent of businesses store unencrypted payment card data and 7 percent store track data. Both actions are completely against the PCI standard.
For those who don’t think they even have sensitive data on their network, it’s a big surprise to learn how payment card data leaks in a system.
Let’s walk through a simple checklist of the common places card data can hide in your network.
- Error logs are one of the most common places unencrypted credit card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated—and these logs frequently contain the full credit card data in plain text.
- Accounting departments typically have processes for balancing books, processing refunds, and charge reversals that store unencrypted credit card data in files on employee workstations, files stored on shared network file servers, or as printed media.
- Sales departments may have emailed or printed forms containing credit card numbers.
- Marketing departments may have databases containing transaction data used for market research.
- Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.
- Administrative assistants may create a spreadsheet that contains a company or executive’s credit card number for quick access when making payments.
After locating stored credit cards, merchants often try deleting this data by emptying their computer’s trash icon. Unfortunately, emptying a trash icon doesn’t permanently delete its contents. To properly delete, you must erase (repeatedly overwrite) the file from your disk drive.
The sad truth is, if a merchant stores unencrypted payment cards at the time of the breach, whether knowingly or unknowingly, she or he may pay hefty fines and lose the confidence of customers.
When people are vigilant in applying the security controls outlined in the PCI DSS to their business, it makes the life of an attacker more difficult. A secure organization has no hidden credit card information to steal. Attackers are forced to move on to much easier pickings.
Protect yourself against unencrypted payment card data storage
The first step to protecting card data is knowing where it is. A great starting point is mapping out a dataflow diagram showing all locations and flows of cardholder data (as required in PCI DSS Requirement 1), to easily identify which systems require protection.
Today’s technology also offers many user-friendly software tools and solutions. For example, SecurityMetrics has a card data locator tool that can assist you in identifying where cardholder data resides on your systems. After running the software, you can take the steps necessary to become PCI DSS compliant by removing or encrypting the unencrypted payment card data on your network. Remember, if you don’t need it, don’t store it!
As always, when working with vendors to determine which tool is right for you, it’s important to keep in mind not all are created equal. Do your homework beyond reading claims that say they are PCI DSS experts. Of course at the end of the day, not even the best technology can substitute the need for vigilance when it comes to securing your business.
2014 will be remembered as the year that data breaches became a board room topic. What will 2015 hold for your company?
Wenlock Free is vice president of strategic partnerships for SecurityMetrics, combining a background in international sales and marketing with over twenty years experience in the data security and training industries.
Stephen W. Orfei is general manager for the PCI Security Standards Council. A recognized industry expert in global payment platforms, e-commerce, mobile payments, transit and cybersecurity, he has more than 20 years of experience developing and delivering complex global payment solutions.