It could be as innocent as writing down a customer’s credit card number for a future charge, or inadvertently emailing customer information to your call center. This credit card information is now “in the clear” and can easily be accessed by thieves.
According to a new report by SecurityMetrics, the vast majority of small merchants store unencrypted card data – and most don’t even know it. Merchants are more aware of writing down a card number or emailing it, and can avoid such actions by simply training employees not to physically store or communicate card numbers. But a bigger culprit is merchants’ own data systems that are not secure, not properly configured, etc. Simply deleting the information from the computer does not always eliminate it – a “secure delete” is often required to get rid of the unencrypted data because a regular “delete” leaves it in a computer until something else overwrites it. And merchants often do not understand their systems or the requirements well enough to recognize when they are storing this data.
SecurityMetrics’ Second Annual Payment Card Threat Report found that almost 71% of the businesses that signed up in the last year to have their point-of-sale systems scanned for unencrypted data were storing it. Most alarmingly, there was almost no decline in the number of merchants storing unencrypted card data from 2011 to 2012 – less than one quarter of a percent (.24%).
Businesses that store unencrypted payment card data directly violate Payment Card Industry Data Security Standard (PCI DSS) requirements – which can set a merchant back financially if they violate the rules or, even worse, if thieves tap into the system and retrieve the unencrypted data. Bluefin provides a highly secure payment gateway that helps take merchants out of PCI compliance scope with security features such as tokenization (the masking of card numbers) and end-to-end encryption (so that no card information traverses the merchant’s system). Bluefin is also an active participant with the PCI Security Standards Council, and consults with Fortune 500 companies on PCI Compliance. Learn more about the ways to stop unencrypted data on your system at https://www.pcisecuritystandards.org/merchants/index.php.