Study Finds 8 Percent Increase Of Unencrypted Cards Since 2010

SecurityMetrics found more than 370 million unencrypted cards on various-sized business and home networks

December 10, 2011

2 Min Read


SALT LAKE CITY, Dec. 8, 2011 /PRNewswire/ -- A study published today by merchant data security leader SecurityMetrics shows 71 percent of merchants who entered the study were found to store unencrypted payment card data in 2011, which is an increase of 8 percent since 2010.

Merchants who store unencrypted payment card data directly violate Payment Card Industry Data Security Standard (PCI DSS) requirements and may be subject to fines and other penalties after a compromise. The discovery of unprotected cardholder data may indicate a number of factors, including an improperly designed or configured payment application, a non-PCI compliant payment application or improper card handling by employees.

"There's so much going on in the security industry that it's sometimes difficult to target the most important things," said SecurityMetrics CEO Brad Caldwell. "We think these findings are a game changer for the security industry, and will help focus priorities on the bigger problem plaguing merchants today. After all, criminals can't steal card data merchants don't have."

In it's entirety, the study found over 370 million unencrypted cards on various-sized business and home networks, with the largest amount of payment cards discovered in a single network scan at over 96 million. The study concluded card discovery and deletion is not a one-time event, but must be a part of regular business operation to impact security.

"Today's business landscape is littered with merchants that don't know exactly what's on their system," said SecurityMetrics Director of Forensic Investigations, David Ellis. "In the majority of cases we've investigated, the merchant was unaware their system was storing unencrypted payment card data. Merchants must take responsibility for their customers' card data, which in turn will benefit worldwide commerce in general."

Core to the study was PANscan, a card discovery tool that searches for unencrypted track 1, track 2 and Primary Account Number (PAN) data on merchant networks. If you would like to view the report, or download PANscan to determine if your business is storing data, visit

About SecurityMetrics

SecurityMetrics assists in protecting electronic commerce and payments leaders, global acquirers, and their retail customers from security breaches and data theft. The company is a leading provider and innovator in merchant data security and compliance, and as an Approved Scanning Vendor and Qualified Security Assessor, has helped over 1 million organizations manage PCI DSS compliance and/or secure their network infrastructure, data communication, and other information assets. Founded in October 2000, SecurityMetrics is a privately held company headquartered in Orem, Utah. For more information, visit

Read more about:

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights