Merchant Services: Focus on Unencrypted Data

The recent Merchant Data Security Report from SecurityMetrics drives home the point that businesses — and small businesses in particular — need to take seriously the issue of unencrypted data storage. To paraphrase the report, merchants must remember it is not their outsourced IT manager, their sales rep or even their merchant services provider that is ultimately responsible and liable for data security; it is up to them.

The Unencrypted Payment Card Data Storage study, conducted during 2011, states upfront that while small businesses have good intentions to keep data secure, many do not spend the time or money necessary to fortify their business network. In fact, most card data on merchant systems is stored unknowingly, making the situation particularly dangerous. “The combination of an unsecured network and unencrypted payment card data inside that network adds fuel to the fire of data theft and fraud,” the report states.

Four common scenarios of unencrypted payment card data storage include:

1. Installation of new POS payment applications that are not configured properly.
2. Non-PCI compliant payment applications that function properly on the front end but often retain unencrypted payment card data.
3. Improper file deletion; software programs are available to accomplish secure deletion and ensure that deleted files are not recoverable.
4. Employee error that arises from a lack of training or a lack of perceived threat from criminals.

The report concludes that vigilance is the first and best line of defense when it comes to unencrypted credit card data. “The very least a business can do to decrease its liability from a potential compromise is scan to evaluate if it stores unencrypted payment card data and securely delete it. Criminals cannot steal data that is not available to them,” it notes. “To ensure lasting liability reduction, searching for card data should not be limited to a one-time event; it must be part of merchant’s regular business operations.”

Storing credit card data is never a good idea, whether it’s encrypted or not. In fact, the Payment Card Industry Data Security Standards (PCI DSS) requires that entities that accept, handle, transmit or store credit card data use security protocols and cryptography to safeguard sensitive cardholder data during transmission over open, public networks.

At Merchant Express®, we assist all our clients in handling credit card data properly, help them attain and maintain PCI compliance and offer merchant services and products to get them there. Talk to one of our trained representatives today to learn more.