Hackers Want Unencrypted Card Data


Published on

Unfortunately, retailers contribute to the 70% of businesses that store unencrypted payment card data against Payment Card Industry regulations. Retailers must learn how to securely delete or encrypt this information to protect customers, decrease their liability, and reduce the likelihood of exploitation’s financial burden. Download a trial of PANscan for free here: www.securitymetrics.com/panscan

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This is what this presentation should address: (This is what Amanda pitched, and they accepted)Unfortunately, retailers contribute to the 70% of businesses that store unencrypted payment card data against Payment Card Industry regulations. Retailers must learn how to securely delete or encrypt this information to protect customers, decrease their liability, and reduce the likelihood of exploitation’s financial burden. Detailed Description (300 words max)Businesses are under attack, hackers search for easy-to-steal credit card information, and most merchants have gaping weaknesses. Discover the dark secrets of unencrypted card data storage and explore the latest statistics from SecurityMetrics’ 2012 Payment Card Threat Report. This presentation will reveal data compromise consequences to revenue, customer retention and brand image. Retailers will learn key insights to easily find, eliminate, and protect customer data on a business network and current unencrypted card data trends.  Who will your presentation appeal to?This presentation will target a business audience passionate about protecting both their customers and business from payment compromise and liability.
  • The number one thing our forensic team hears from their clients when they go forensic-ify a business is – they don’t believe they even have card data.
  • The business is responsible for fines, penalties from compromises that resulted from stored payment data Eric said 95% is correct.
  • If a business is compromised with this information,
  • Before we get any farther, let me explain what unencrypted card data is. (Explain)And all of this can be stored on a business network without you knowing.
  • For example, Malware, SQL injection, buffer overflow, weak passwords, and social engineering Oh, and in case you’re wondering, cards are available on the black market for only £2 a card. So basically what I’m saying is- Unencrypted data storage may result in data compromise
  • Some stats you can use if you wish:4.5 million small businesses currently operate in the UKSmall businesses account for 99% of all enterprise in the EU (European Commission)Visa estimates that its smallest business customers account for 95% of its breaches
  • In general, here’s what we found:-Businesses unknowingly stored unencrypted payment card data-Unencrypted data is also unprotected data-Payment applications may store and/or leak
  • Other stats you can talk about-11% store magnetic stripe track data-We scanned 143,579 Gigs-We scanned over 450 million files
  • Wanna hear something scary? The most cards we’ve found in a single scan was:91,657,934. ONE business was storing 91 MILLION cards! That’s the entire population of Egypt!
  • Most people store credit cards unknowinglyImproper deletion- right click, delete is NOT a correct way of deleting cards!Other ways payment apps stored credit cards are because they are legacy applications, or because outsourced IT vendors don’t follow PCI standards
  • And then there are those who store credit cards knowingly.Microsoft Word or Excel are EASILY EXPLOITABLE PROGRAMS!!!
  • Quickly explain who the PCI Council is.Explain why they encourage cardholder data tools.All merchants are required to comply with payment security regulations known as the PCI DSS (Payment Card Industry Data Security Standard), and protecting card data is crucial to this requirement. Furthermore, business owners risk expensive fines and serious brand reputation losses if industry regulators discover unencrypted card data on business networks. Achieving PCI compliance is often difficult, especially among business owners with no formal technological training. Using PANscan software helps businesses achieve PCI compliance requirements and protects them from card brand and merchant processor PCI fees.
  • So what do you do? How do you get rid of the data?
  • Search capability details: Hard drives, systems, networks, attached storage devices and mobile devicesPrimary account numbers (PAN) and track data
  • PANscan software enables brick-and-mortar and e-commerce business owners to quickly close cyber security gaps by locating sensitive customer payment card data stored on business networks. PANscan is a user-friendly, efficient, and affordable tool for the everyday user, even small businesses or nonprofit organizations can implement it to increase daily security posture and reduce the risk of losing sensitive customer data to hackers.See if you have any cards on your system for free
  • Don’t forget- Criminals can’t steal data you don’t have
  • Hackers Want Unencrypted Card Data

    1. 1. fraudsters job easierSecuring Payments:Don’t Make a Hacker’s Job Easier
    2. 2. SecurityMetrics
    3. 3. #1 Thing Our Forensics Team Hears…“I had no idea I wasstoring any carddata…”
    4. 4. Hacked Business = Stored Data95% of SecurityMetricsforensic investigations findunencrypted payment carddata on merchant systems
    5. 5. Costs of Compromise & Non Compliance• $500,000/card brand - Card brand non-compliance fees (Visa)• $10,000-15,000 – Forensic analysis• $613/card– Fraud reimbursement (Gartner)• $2-5/card- Card replacement (Gartner)• $15,000 - Security updates• $561,495 - Notification costs (Ponemon)• $20/mo - Processor non-compliance fees• $5/account - Account monitoring• $78,4364- Business loss (Ponemon)• Total:– Average organizational cost per breach: $5.5 million (Ponemon)
    6. 6. What is Unencrypted Card Data?Magnetic stripedataPAN (Primaryaccount number)Personalinformation
    7. 7. Main Problems1. Unencrypted carddata is the #1 reasonhackers targetbusinesses2. Businesses don’tknow if they storecard data
    8. 8. Hackers Search for Low Hanging Fruit• Many businesses mayhave weaknesses thatleak data• Often overlookIT/service providers• Card data is easy tosteal, lucrative on theblack market
    9. 9. Putting It Into Perspective• 27.9 million smallbusinesses in U.S.• Say each stored 10unencrypted credit cards• 279 million cardsaccessible to hackers viaU.S. business networks.
    10. 10. Investigatedmore than 2,000businesses
    11. 11. What We Found71% storeunencrypted payment dataon their business networkTotal cards found: 315 MILLION
    12. 12. Most Targeted Industries• Financial• Hospitality• Retail
    13. 13. Storing Unknowingly• Improper deletion• Payment applications– Not PCI compliant– Improperly configured
    14. 14. Storing Knowingly• Reoccurring billing• Chargeback/refund• Often stored inMicrosoft Word orExcel• Comments/notes
    15. 15. PCI Council Guidelines“…you really need touse some kind ofmethodology to findwhere cardholderdata is on thenetwork…”Bob Russo, PCI Council
    16. 16. Removing Card Data?• Impossible to manually locate data• Use a card data discovery tool
    17. 17. A Superior Card Discovery Tool• Exhaustive search capability• Easy-to-understand report• Shows # and location of data• Never stores, transmits, or displaysfull payment card data• Efficient on resources
    18. 18. Example: PANscan®• 6,000 businesses use PANscantechnology to search network• Simple, fast,accurate• Try for free
    19. 19. They Can’t Steal Data You Don’t HaveIf businesses begin to regularlyscan their enterprise networks witha card data discovery tool, millionswill be protected from identity theftand cyber fraud.
    20. 20. =