Can a business store unencrypted credit card data?
Yes. Although it is best to avoid storing unencrypted card data in the first place, PCI DSS requirement 3 gives guidelines on how to protect unencrypted payment card data.
Card data discovery tools and processes
Card data discovery is an important part of payment data security and complying with PCI DSS requirement 3. If you are going to store credit card data, you’ll need to know where it is captured, where it is stored, where it is transmitted, and where it is received. The process for visually mapping out these data flows is done through a card data flow diagram.
A card data flow diagram visually shows where PAN enters, leaves, and is stored, and can help identify the scope of the card data environment (i.e., the area that needs to be secured and follow the PCI DSS). The card data flow diagram is also helpful in identifying whether credit card data is found in unexpected locations which may not be represented in a card flow diagram. You can walk through the card data flow diagram and ask questions at each point in the process to confirm that credit card information isn’t leaking or stored where it shouldn’t be.
For example, if you receive credit card information on a form over fax, you can ask “is that form also saved on a fax server or sent over email?” If you capture credit card information on a hosted payment page then you could ask “could credit card information have been errantly entered into the name field or even the zip code field?” Combining a data flow diagram with employee interviews and periodic system scans for PAN data can be a valuable way to confirm that processes for handling credit card data are accurately understood and documented.
Some common reasons businesses unknowingly store PAN, PIN, and CVV include:
- Employees unaware of card data storage policies
- Misconfigured payment processing applications
- Old data found on recently purchased payment processing applications
- User form field input error where users enter credit card data into the wrong field whose data may be placed in non-CDE databases
- Legacy card data flows that have been discontinued but not purged from databases, email, and fax servers
- Paper copy archives of cardholder data that has the PAN marked out but not the CVV
Since 2010, SecurityMetrics PANscan® has discovered about 2.9 billion unencrypted primary account numbers (PAN) on business networks. Storage of unencrypted payment card data increases your organization's risk and liability in the event of a data breach.
- 237,279 GBs scanned
- 74% Store unencrypted PAN data
- 5% store track data (data inside magnetic stripe)
- Over 429 million cards found
PERCENTAGE OF USERS STORING UNENCRYPTED CARD DATA
Storing any unencrypted card data, especially track data, is a violation of the Payment Card Industry Data Security Standard (PCI DSS) and makes it easier for a criminal to steal data.
- 2017: 69%
- 2018: 85%
- 2019: 88%
- 2020: 74%
COMMON PAYMENT CARD DATA HIDING PLACES
Due to poor processes and/or misconfigured software, payment card data can leak into networks, even those that shouldn't store sensitive data. Here are common places to look for hiding payment card data:
- Error logs
- Accounting departments
- Sales departments
- Marketing departments
- Customer service representatives
- Administrative assistants
7 TIPS TO FIND AND SECURE CARD DATA
Find out how your various departments interact with card data.
CARD FLOW DIAGRAM
Know where and how card data interacts through your system.
Run a card data discovery tool to search for unencrypted card data.
Properly remove and/or encrypt card data.
Only authorized personnel should have system access.
CONSIDER DATA STORAGE
If you don't need to, stop storing card data.
Reduce the number of systems that store, process, or transmit card data.