Study: Majority of businesses not adequately protecting payment card data

According to the results of a study conducted by SecurityMetrics, a Utah-based provider of data security and compliance solutions, more than 70 percent of merchants store unencrypted payment card data on their business network.

In addition, the "2012 Payment Card Threat Report," found that more than 10 percent of the merchants polled store magnetic stripe track data, which is used by criminals to reproduce credit and debit cards. Between 2011 and 2012, card data storage on corporate networks declines by less than one quarter of a percent despite the obvious threats posed by data breaches.

Organizations in the financial, hospitality and retail industries accounted the majority (55 percent) of those businesses that stored unencrypted payment card data in the study.  

SecurityMetrics said companies the store unencrypted payment card data directly violate Payment Card Industry Data Security Standard (PCI DSS) requirements and are more likely to be exploited by thieves.

"Hackers proactively search for unencrypted card data because it takes less effort to steal," said Gary Glover, director of security assessment at SecurityMetrics. "Whether a business stores unencrypted card data because of an improperly configured payment application, or because employees handle data improperly, storing card data without encryption is against industry regulation."

To prevent payment card data from falling into the wrong hands, SecurityMetrics recommends that businesses take several steps including:

  • Mapping all pathways of payment card data on a network
  • Employing a card data discovery tool 
  • Creating policies that enforce the removal of payment card data from corporate networks
  • Securely deleting all files to ensure that payment data is removed

For more information or to read the study in its entirety, visit