Digital forensics and incident response specialist, Foregenix, has announced the results of its data discovery projects conducted across 40 companies over a five month period spanning January to May, 2011.
The FScout data discovery tool from Foregenix found over 100 million unique PANS (primary account numbers) residing on the participating companies' systems. It was also able to identify over 1,000 instances of Track 1 data and over three million instances of Track 2 data - the full magnetic strip on payment cards, allowing cloning of the cards if stolen. The confidential trial was conducted with companies of varying sizes from a number of industries including acquiring banks, retailers, hospitality and ecommerce companies.
The results confirmed that most companies are unaware of the sensitive cardholder data that is lying dormant on their systems. Identifying this legacy data is crucial, as is the means of handling it after discovery. Companies must retain and protect only what is absolutely necessary for business, and delete everything else in a secure fashion; specifically, Track 2 data should never be stored after a transaction has been authorised. Identifying and protecting/deleting this data effectively reduces the cost and complexity of achieving and maintaining PCI DSS compliance and reduces the risk of cardholder data compromise.
"Our trial showed that many merchants have no visibility over the unprotected data that they are storing," says Benjamin Hosack, director of Foregenix. "Data Discovery tools assist businesses in identifying unprotected legacy cardholder data, and through regular monitoring provides them with assurance that they are not exposed to unnecessary risk. Acting as an early warning, these tools will alert businesses as soon as unprotected data is identified in business systems. Data leakage could be from mis-configurations of payment systems, changed business processes or malicious behaviour; all of which need to be managed efficiently to reduce risk."
While many large merchants are working towards full PCI DSS compliance, Level 4, or smaller merchants, are still being compromised frequently. In fact, 96% of data compromises in 2010 took place in this sector.
"The target remains the same for attacks. Cybercriminals want cardholder data," continues Hosack. "We have seen businesses of all types falling victim to attack through a variety of methods. With the majority of attackers identifying unprotected cardholder data companies need to act now to protect their businesses and customers."