Can businesses store credit card information?
The short answer is, “yes.” PCI DSS requirement 3 focuses on the protection of stored cardholder data. That requirement applies to both merchants and service providers that store credit card data both pre and post authorization.
It’s best not to store credit card numbers if you can avoid it. and storing full track data, CVV numbers and PINs post-authorization is not allowed for PCI DSS compliance, even if the data is encrypted.
To comply with PCI DSS requirement 3, merchants and service providers must protect primary account numbers (PAN) when it is stored pre-authorization and post-authorization. Techniques for protecting stored credit card data include encryption (such as file level, column level, table level, and disk level), as well as hashing. Protecting the full display of PAN from users without a business need to view full PAN requires masking the data or truncating it altogether so that only the first six and last four digits of PAN are viewable. Remember that you cannot store the hashed PAN and truncated PAN in the same card data environment.
Card data discovery: find unencrypted card data
Card data discovery is an important part of data security and compliance. If you are going to store credit card data, you’ll need to know where it is captured, where it is stored, where it is transmitted, and where it is received. The process for visually mapping out these data flows is done through a card data flow diagram.
A card data flow diagram visually shows where PAN enters, leaves, and is stored, and can help identify the scope of the card data environment (i.e., the area that needs to be secured and follow the PCI DSS). The card data flow diagram is also helpful in identifying whether credit card data is found in unexpected locations which may not be represented in a card flow diagram. You can walk through the card data flow diagram and ask questions at each point in the process to confirm that credit card information isn’t leaking or stored where it shouldn’t be.
For example, if you receive credit card information on a form over fax, you can ask “is that form also saved on a fax server or sent over email?” If you capture credit card information on a hosted payment page then you could ask “could credit card information have been errantly entered into the name field or even the zip code field?” Combining a data flow diagram with employee interviews and periodic system scans for PAN data can be a valuable way to confirm that processes for handling credit card data are accurately understood and documented.
Some common reasons businesses unknowingly store PAN, PIN, and CVV include:
Employees unaware of card data storage policies
Misconfigured payment processing applications
Old data found on recently purchased payment processing applications
User form field input error where users enter credit card data into the wrong field whose data may be placed in non-CDE databases
Legacy card data flows that have been discontinued but not purged from databases, email, and fax servers
Paper copy archives of cardholder data that has the PAN marked out but not the CVV
Unencrypted payment card data is often found with unexpected people and places across the company, including:
Customer service representatives
Old file cabinets
Oddly enough, one of the easiest ways to help with the removal of legacy or unexpected stored cardholder data is to move from an old office to a new one, from an old IT infrastructure to a new IT infrastructure, and from an old payment application to a new one. During this transition period, the pain of migrating the data causes either a lot of purging to happen or only the known cardholder data and card data flows to be migrated. When migrating to a new infrastructure or payment application, make sure you properly delete old data. Read more about securely deleting data here.
Automated tools can help discover cardholder data
To err is human, which is why we augment manual checks with automated tools. One tool that SecurityMetrics has created, called PANscan®, is a card data discovery tool businesses use to search for unprotected credit card data and to help confirm their PCI DSS audit scope.
Using automated card data discovery tools helps businesses find primary account numbers on computer systems, networks, hard drives, and attached storage devices. Many businesses experience compromise because simple steps are not taken to ensure security. PANscan is a simple tool that helps limit business liability.
How much unencrypted card data did PANScan® find on business networks in 2018?
The results of SecurityMetrics’ PANscan showed that of users scanned, 85% had unencrypted payment card data on their devices and system–adding up to over 114 million cards found. While a few results are false positives, many businesses have successfully used the tool to remove unencrypted card data unintentionally stored on devices and systems, which could have been vulnerable to data breaches, data theft, and data leaks.
The percentage of businesses that improperly stored PAN has gone up each year, starting at 61% in 2015, 67% in 2016, 69% in 2017, and rising sharply in 2018 to 85%.
Alarmingly, 5% of businesses store magnetic full-track data, which is never permitted by the PCI DSS.
View the 2019 PANscan infographic. This infographic shows user results of PANscan from 2018 and compares it to previous years.
For tips on how to properly handle and store credit card data–whether encrypted or not–check out our blog PCI DSS Requirement 3: What You Need to Be Compliant.
Michael Maughan (CISSP, QSA) is a Security Analyst at SecurityMetrics and has been in IT for 18 years. He has a Bachelor of Science in Applied Physics from BYU and is an avid college sports fan.