The scans also found that a large number of merchants use payment application software that does not conform to the Payment Application Data Security Standard (PA-DSS), fail to configure their payment applications properly, neglect to erase old data when new payment applications are purchased, and/or fail to train their employees in proper handling and storage of card data.
“Improper storage of payment card information puts cardholder data at risk. Our testing suggests that the problem remains surprisingly widespread even with increasing industry emphasis on the need for compliance with PCI DSS regulations”, commented SecurityMetrics CEO Brad Caldwell.
SecurityMetrics discovered the unencrypted data using its PANscan software tool that searches for unencypted data on merchant networks to support PCI DSS compliance efforts.
Merchants who comply with PCI DSS are 50% less likely to suffer a data breach, according to a study conducted last year by Verizon Business.
The PCI requirements to protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems, offer the most protection from data breaches.
Despite the benefits and the need for compliance, only 22% of over 200 organizations assessed in 2008 and 2009 were up to standard, the study found.