More businesses store unencrypted card numbers than you think, and the numbers have gone up this year.
More businesses store unencrypted card numbers than you think, and the numbers have gone up this year.
According to our 2017 PANscan study, 67% of businesses that used PANscan had unencrypted card data in their networks. Additionally, 5% of businesses stored track data.
Let’s compare these statistics to the 2016 PANscan study: Businesses have increased storage of unencrypted card data from 61% to 67%. This is a pretty significant change, especially since the previous years saw numbers like 62% and 60%. But businesses have also decreased storage of track data from 10% to 5%.
Overall, businesses still struggle to keep PAN secure, but they seem to be doing better with track data.
Protecting card data can get tricky sometimes. Here are some ways to better protect your businesses’ stored card data.
See also: PCI DSS Requirement 3: What You Need to be Compliant
If you can run your business without the need of storing card data, it’s highly recommended. It will help simplify your security process, and reduce your PCI scope greatly. For example, if you store and handle card data, the PCI DSS will require you to fill out SAQ D, which has over 300 questions. If you don’t store card data, you can fill out SAQ A, B, or C, which have less than 100 questions.
Some ways to avoid storing card data are to use tokenization or outsource card data handling to a third-party. This will mean that another company will handle your card data. You’ll still need to make sure they follow PCI requirements, but most of the responsibility and liability won’t be on your business.
Remember, the less card data you store, the less you have to worry about.
Many businesses that store unencrypted card data often don’t realize they’re storing it. Card data can be found in areas you may not initially think about.
You should make a card flow diagram that tracks the process your business goes through as it uses, stores, or transmits card data. This will help you see where card data enters and exits your business.
Here are some areas unprotected card data may be unintentionally hiding:
Your card data should be encrypted when not in use. This keeps your card data safe, even if it should get stolen. It’s recommended you use point-to-point encryption (P2PE) as it encrypts the data from the point of interaction until it’s processed.
P2PE prevents non-encrypted card data from existing in the payment environment. Even if a hacker should steal this data, they would only get encrypted card numbers with no way to decode them.
See also: Securing Mobile Devices with Mobile Encryption
While network segmentation isn’t required by the PCI DSS, it’s good practice to keep your networks that handle card data separate from your other networks.
Whether you do it physically or through a firewall, make sure your systems that store, process, and transmit card data are kept separate from other systems. This reduces your PCI scope, and keeps card data from spreading to unknown areas.
See also: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know
Need help with PCI compliance? Talk to us!
.svg)
