Hackers Feast on Unencrypted Credit Card Data Stored by Merchants

A serious issue, that shouldn’t exist in the first place, has been brought to our attention by a recent report released by Security Metrics. As it turns out, the number of merchants that store their customers’ credit card data in an unencrypted form is higher than ever.

The latest Merchant Data Security Report reveals that 71% of the businesses that participated in the study stored unencrypted credit card data and worryingly, many of them are highly vulnerable to SQL injection attacks.

With the use of a tool called PANscan, Security Metrics scanned the systems of 2,736 merchants, including hard drives, networks and attached storage devices in search for unencrypted primary account numbers (PAN) and magnetic stripe track data.

The scan found a total of 378,748,700 cards which translates into an 8% increase when compared to last year. In other words, the Sydney Harbor Bridge can be paved three times with payment cards.

On one hand, old, non-PCI compliant, payment applications are problematic and easy to hack, but new payment systems can turn out to be just as insecure if they’re not configured correctly.

Other problems emerge from the improper removal of payment-information-containing files. Many believe that if they delete a file, it’s as good as gone, but this is not the case. Even if the information is not available for the user, hackers can easily recover it from the device's unassigned storage space.

While a large part of the sensitive data is stored unknowingly by employees who are just not trained to handle sensitive data, in many of the situations merchants just don’t bother to make sure the data is safely tucked away from malicious cybercriminal operations.

Protecting a company network against attacks may not be the easiest task, but encrypting sensitive data stored in databases and setting up proper policies doesn’t take such a big effort.