BLOG HOME > GDPR > Do You Know Where You Store Card Data? Unencrypted Credit Card Data Storage.

Do You Know Where You Store Card Data? Unencrypted Credit Card Data Storage.


Wenlock Free, SecurityMetrics   Stephen W Orfei, PCI Security Standards Council
By: Wenlock Free and Stephen W. Orfei

Unencrypted credit card data is hiding on your network

This article was originally featured as an Electronic Transactions Association guest blog

How many news stories have you seen in the past 12 months about major brands in the retail, hospitality, and entertainment industries losing their payment card data? Chances are it’s more than you can count on both hands.

It’s also true that almost any company, including yours, could be in that same situation in the next 12 months. According to a PricewaterhouseCoopers study, 42.8 million cyber attacks are expected this year. Even an average hacker can find credit card data in unexpected and unprotected places.

PCI Compliance IT Checklists

Download Here
Research shows that basic security measures can protect you against hacks 99.9 percent of the time. The PCI Data Security Standard (PCI DSS) covers these basics and much more. It has been developed by industry experts and stands the test of time. Unfortunately, according to Fortinet, 1 in 5 small and medium business retailers are not PCI DSS compliant.

One key part of the standard in which many merchants fail is PCI DSS Requirement 3, “render [primary account number data] unreadable anywhere it is stored.”

Unintentional hidden credit card information

Many businesses that store encrypted card data may not be aware of just how often data is left in its unencrypted form. According to 2015 data from SecurityMetrics, 61 percent of businesses store unencrypted payment card data and 7 percent store track data. Both actions are completely against the PCI standard.



Let’s walk through a simple checklist of the common hidden credit card data storage places in your network.
  • Error logs are one of the most common places unencrypted credit card data is unintentionally stored. When an error occurs during card authentication or processing, an error log is often generated—and these logs frequently contain the full credit card data in plain text.
  • Accounting departments typically have processes for balancing books, processing refunds, and charge reversals that store unencrypted credit card data in files on employee workstations, files stored on shared network file servers, or as printed media.
  • Sales departments may have emailed or printed forms containing credit card numbers.
  • Marketing departments may have databases containing transaction data used for market research.
  • Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.
  • Administrative assistants may create a spreadsheet that contains a company or executive’s credit card number for quick access when making payments.


After locating stored credit cards, merchants often try deleting this data by emptying their computer’s trash icon. Unfortunately, emptying a trash icon doesn’t permanently delete its contents. To properly delete, you must erase (repeatedly overwrite) the file from your disk drive.

The sad truth is, if a merchant stores unencrypted payment cards at the time of the breach, whether knowingly or unknowingly, she or he may pay hefty fines and lose the confidence of customers.

Find the Personally Identifiable Data Stored on Your Systems

Start Here
SEE ALSO: Is Your Credit Card Data Leaking?

When people are vigilant in applying the security controls outlined in the PCI DSS to their business, it makes the life of an attacker more difficult. A secure organization has no hidden credit card information to steal. Attackers are forced to move on to much easier pickings.

Protect yourself against unencrypted credit card data storage

The first step to protecting card data is knowing where it is. A great starting point is mapping out a dataflow diagram showing all locations and flows of cardholder data (as required in PCI DSS Requirement 1), to easily identify which systems require protection.

Today’s technology also offers many user-friendly software tools and solutions, such as SecurityMetrics PANscan®, that can assist you in identifying where cardholder data resides on your systems. After running the software, you can take the steps necessary to become PCI DSS compliant by removing or encrypting the unencrypted payment card data on your network. Remember, if you don’t need it, don’t store it!

As always, when working with vendors to determine which tool is right for you, it’s important to keep in mind not all are created equal. Do your homework beyond reading claims that say they are PCI DSS experts. Of course at the end of the day, not even the best technology can substitute the need for vigilance when it comes to securing your business.

2014 will be remembered as the year that data breaches became a board room topic. What will 2015 hold for your company?

Wenlock Free is vice president of strategic partnerships for SecurityMetrics, combining a background in international sales and marketing with over twenty years experience in the data security and training industries. 

Stephen W. Orfei is general manager for the PCI Security Standards Council. A recognized industry expert in global payment platforms, e-commerce, mobile payments, transit and cybersecurity, he has more than 20 years of experience developing and delivering complex global payment solutions. 

Join Thousands of Security Professionals and Subscribe

Subscribe