What is the cost of poor cardholder data discovery?

Posted on January 6, 2014 by Billy Austin

Credit Card ImageWhen the topic of data breach comes up, encryption and vulnerability scanning are usually part of the solution. But most people don’t realize that getting a frequent assessment on all endpoints can be just as important as securing the payment processing gateway. In fact, many experts consider cardholder data discovery the “third pillar” for overall data breach mitigation.

Knowing the risks

Numerous studies have shown that assessing for unencrypted credit card data at rest plays a vital role in protecting customer payment data. The price we pay for negating data discovery assessments has profound ramifications for corporate branding, business success and ultimately fatal financial repercussions.

Common risks we see all too often that you should be aware of:
1) Payment gateways send/receive encrypted information from the merchant server. Due to mis-configured gateways, card data is being dumped in a text or xml file.
2) Due to the adoption of cloud syncing technologies like iCloud, Google Drive and etc., payment data stored on the desktop is constantly synchronized with smartphones and tablets proliferating beyond the perceived corporate perimeter.
3) Email hands down, is the number #1 location where card data was discovered on over 80% of endpoints.

What you can do to improve cardholder data discovery and mitigate data breaches

1) Assess both mobile and computing devices for unencrypted data
2) Be sure to scan common locations such as Email, SMS, SD Cards, Zip Files, Browsers and Contacts

What you can do after the assessment

1) Encrypt the files or use full disk encryption if retaining the data is justified
2) Properly remove and securely delete the data when no longer needed
3] Educate employees on the importance of protecting cardholder data

See sample report of what to expect after a simple and fast assessment:
Computer Cardholder Discovery Report

Treating cardholder data discovery as a priority rather than a luxury can be a huge step to help promote customer data protection and prevent your business as becoming yet another data breach headline. However, it’s important to be aware that not all cardholder assessments are so easily addressed. Card data residing on smartphones, tablets, laptops or other BYOD computing endpoints can easily be identified by reviewing your PAN or PII Scan reports with your iscanonline.com account.

About Billy Austin

Co-founder of RocketCyber. Former CISO and serial entrepreneur of vulnerability and risk intelligence technologies.
This entry was posted in Cardholder Data, Data Breaches, Mobile Security, PAN Scanning, PCI DSS and tagged , , . Bookmark the permalink.

2 Responses to What is the cost of poor cardholder data discovery?

  1. Pingback: Branden R. Williams, Business Security Specialist » Data Discovery, It’s A Thing!

  2. Pingback: Data Discovery, It’s A Thing! « IT-Security.BlogNotions - Thoughts from Industry Experts

Leave a comment