61% of Merchants Still Store Unencrypted Payment Card Data

61% of Merchants Still Store Unencrypted Payment Card Data
OREM, Utah, Feb. 9, 2016 /PRNewswire/

Businesses continue to struggle with the prohibited storage of unencrypted customer payment data. In its fifth study on unencrypted card data, SecurityMetrics’ patented card discovery tool PANscan® found that 61% of businesses store the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN).

In the Payment Card Industry Data Security Standard (PCI DSS) 3.0, merchants are instructed that, “Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection” in PCI DSS Requirement 3.

And yet in six years, PANscan has found more than 1.4 billion unencrypted card numbers on business networks. Fortunately, in the past few years, the amount of merchants storing unencrypted card data has gone down from 63% to 61%.

The study revealed that PANscan scanned 276,584 GB of data on 4,703 computers and found:
•A total of 213,930,199 unencrypted payment cards
•61% of businesses store unencrypted PAN data, the same percentage as 2015’s study
•10% of businesses store full magnetic stripe data, including PIN, CVV, service code, expiration date, cardholder name, and PAN
•An average of 45,488 payment cards per computer

“The trend is encouraging in general, but there is still a long way to go,” said Bill Davis, Director of Product Management at SecurityMetrics. “It surprises me that track data continues to be a problem. That’s the Holy Grail for hackers.”

Card data discovery tools like PANscan simplify the process of identifying and directing users to unencrypted card data. View the infographic ( to learn more about the study, or contact a SecurityMetrics representative at or 801.705.5665 to learn more about PANscan.

Leave a Reply

Your email is never published nor shared.

You may use these HTML tags and attributes:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>