Unencrypted payment data still way too common
I've noted that a major benefit of encryption is that it can protect data even if a breach occurs. I also lamented the fact that too many companies still have yet to invest in this area.
Another great example has cropped up, this one in the form of payment data stored by companies. SecurityMetrics has published its second annual Payment Card Threat Report, showing that unencrypted primary account number storage remains "alarmingly high."
Adoption barely increased between 2011 and 2012. Card data storage on corporate systems declined less than one quarter of a percent. The study found that more than 10 percent of merchants store magnetic stripe track data, essential for the reproduction of credit and debit cards. Financial, hospitality, and retail industries accounted for 55 percent of the total unencrypted payment card data storage among the businesses examined.
This is courting disaster, to say the least. One company said in a statement: "Hackers proactively search for unencrypted card data because it takes less effort to steal. Whether a business stores unencrypted card data because of an improperly configured payment application, or because employees handle data improperly, storing card data without encryption is against industry regulation."
There's also another risk factor: Not encrypting such data runs afoul of PCI-DSS, which could pose some consequences in the event of legal action.
- here's the article