Are You Leaking Cardholder Data?
Every day thousands of companies receive credit card data from many sources and store it in a variety of locations. Are you aware of every location credit card data is being stored within your organization? It’s surprising how many companies are unaware where they are storing credit card and other sensitive data and their resulting non-compliance. If you are a merchant processing credit cards you are required to comply with all 12 of the PCI requirements. This applies to merchants who maintain their own systems or use third party systems and gateways for payment facilitation. It’s important to be aware of some of the overlooked areas where card data may be stored. It’s widely understood by most merchants and service providers that card data stored in a database should be encrypted and protected. However, there may be some unexpected card data storage locations within your organization. This is usually because of missing policies and procedures or insufficient technology controls. Here are some of the more common locations where unexpected card data storage occurs.
Application & Error Logs
While most companies understand that application logs should not contain cardholder data, there are some circumstances where this happens unexpectedly. This is frequently seen during release cycles or troubleshooting system issues. One of the most common culprits is changing log levels. Some log levels such as ‘Debug’ contain more information than others. In some cases, this may unexpectedly cause the logging of cardholder data. Companies should review their log levels and establish policies and procedures to safeguard sensitive data.Log Archives
As companies collect and store log data from various sources, they may be creating a permanent unprotected record of cardholder data. For example, if an application server from the above example is logging cardholder data, that information may be replicated to a log archive. Companies should use utilities that scan log files and other archives for the possible presence of cardholder data.Spreadsheets
This is our favorite. Some companies store cardholder data for later use in mediums such as spreadsheets and then rely on passwords as the security control mechanism. This is not sufficient to protect cardholder data and does not meet PCI requirements. If you are using spreadsheets you are creating a self-contained database that is easily stolen or misused. Companies using this method should immediately review their business justifications and need to find an approved payment facilitator that can handle their cardholder data storage needs.Phone Agents
Many companies have departments such as customer service and sales that require the agent to handle cardholder data. In some cases, the sensitive data is written down for transfer to another department or for reference and storage. These methods of credit card storage are easily targeted for theft or misuse. Companies should adjust their policies and procedures and possibly their technology to remove any physical/hardcopy storage of cardholder data.Here’s How We Can Help
Mitigation of these issues is vital to keeping cardholder data secure. Depending on your systems and business requirements one of the best ways to close the gap on these vulnerabilities is to offload the cardholder handling responsibility to a certified payment facilitator like Zift. Below are some of the services offered by Zift that help companies secure their cardholder data and achieve and maintain PCI compliance.