2018 PANscan Results: Storage of Credit Card Data on the Rise

See how much unencrypted card data PANscan® found on business networks in 2017.

Storage of unencrypted PAN on networks is up

Primary account numbers (PAN) are the 14-, 15-, or 16-digit credit card numbers used to identify individual cards. If merchants unknowingly store unencrypted PAN on their networks, they may pose a big risk to their business.

Manually searching for PAN can get tedious and overwhelming, but tools like PANscan® are designed to search quickly and efficiently in the background without slowing down day-to-day operations.

Since 2010, SecurityMetrics PANscan® has discovered over 1.6 billion unencrypted primary account numbers. Our 2018 PANscan study compiles results from PANscan® users in 2017. We found that credit card data storage is up since last year and has been steadily climbing for the last few years. Remember that these results come only from users of our PANscan® tool--merchants who are already security-minded. This could mean that as a whole, businesses that handle credit card data are faring worse.‍

Download the 2018 PANscan® Data Analysis Infographic here.

The 2018 PANscan® study

We found that in 2017, PANscan® searched 337,118 GBs of data and found over 114 million unencrypted card numbers as well as over 4.5 million track data (i.e., magnetic card stripe data). Sixty-nine percent of users stored unencrypted PAN, and 7% stored unencrypted track data.‍

In 2016, 67% of PANscan users stored unencrypted PAN, which means credit card data storage is up 2 points since then (a 2.98% increase). Only five percent of these businesses stored track data in 2016, which means there's been a 40% increase. The PCI DSS requires that merchants never store track data, for any reason (Requirement 3.2).

Where did PANscan® find card data?

There are several common places PAN data hides. Whether it’s due to poor process or misconfigured software, unencrypted credit card numbers on a network can be traced to:

• Error logs
• Accounting departments
• Sales departments
• Marketing departments
• Customer service representatives
• Administrative assistants

Learn more about PANscan®.‍

See also: What's Inside Our 2018 PCI Guide

Protecting Customers' Credit Card Data

‍Keeping unencrypted data on systems is a security risk but it can also be difficult to avoid. Like we mentioned, PAN data can come from departments like marketing, accounting, sales—but it can also be unintentionally stored due to bad handling process.

Here are seven tips to find and secure credit card data:

• Interview Employees: Find out who has access to what card data and how each department interacts with it.
• Create a card-flow diagram: Map out where card data enters, leaves, is stored, and interacts with/in your system.
• Use a data discovery tool: As previously mentioned, a well-designed software tool can make a world of difference. PANscan® is designed to run light, work fast, and avoid false positives.
• Remove or encrypt data: Protect customers’ credit card numbers by properly removing, deleting, destroying, or encrypting them.
• Consider data storage: Rethink whether you really need to store credit card data in any form on your systems.
• Limit access to data: Only those who absolutely need to access card data for their job should be able to.
• Segment your network: Separate your card data environment from other systems, using firewalls or other methods. This way you can reduce the potential for data leakage to unauthorized areas.

For more information about PCI compliance, a PCI audit, or data security, contact us here.