Problem solve Get help with specific problems with your technologies, process and projects.

Unencrypted credit card data storage: Why 70% of merchants do it

Mike Chapple offers four possible reasons why some merchants still store unencrypted credit card data after years of PCI DSS compliance requirements.

According to a recent report from vendor SecurityMetrics, about seven out of 10 merchants have unencrypted credit...

card data storage, a practice strictly prohibited by the PCI DSS. PCI DSS compliance isn't new, so why does this still happen? What are the most common areas where merchants inappropriately store card data?

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The study you mention is truly mind-boggling. It found that 71% of participating merchants are storing unencrypted payment card information, in clear violation of the Payment Card Industry Data Security Standard (PCI DSS). Not only does this represent a breach of PCI DSS, but it also puts the merchant holding the information at significant risk of causing a breach of personal information that may lead to financial loss and/or identity theft.

I believe that the organizations storing this information could fall into the following four categories:

  • Those that are blissfully unaware of their obligations under PCI DSS. There's not much excuse for ignorance anymore. I would expect that only the smallest or newest merchants do not understand that PCI DSS dictates the ways in which the handling and storing of credit card data should occur.
  • Those that are unaware that their payment application is storing unencrypted cardholder information. My guess is that this is the largest category. Many merchants probably believe that they purchased "secure" software that is handling cardholder data appropriately, while in reality the software may be storing unencrypted cardholder information, unbeknownst to the merchant. Merchants should ensure that they are running software that appears on the list of Validated Payment Applications and that they are running a software version that is certified compliant. It's important to remember that many of the same vendors that now produce applications compliant with Payment Application Data Security Standard once produced versions that were not compliant. Monitoring the compliance status of your particular application version and applying patches and updates should be critical components of your PCI DSS compliance program.
  • Those that have legacy databases containing cardholder information. Some organizations may have upgraded to PA DSS-validated applications, but still have legacy databases that contain unencrypted information from older systems or business processes. These databases should be sought out and either destroyed or secured.
  • Those that are storing unencrypted information willfully. Hopefully, this is a small category, but there are undoubtedly merchants out there that know they are storing data in violation of PCI DSS and simply aren't doing anything about it.

If you're not certain that you've successfully removed all unencrypted card information from your systems, take the time to conduct a thorough audit. It's better to invest time and resources now to discover areas where you might need to change your practices, than discover later that you've either failed an assessment or been the victim of a major breach.

This was last published in March 2013

Dig Deeper on PCI Data Security Standard