Just when you thought it was safe to start processing again, we discovered a new area of vulnerability that should be of concern to long time bankcard processors and merchants. Namely the security of your stored legacy data that may include old credit card numbers and expiration dates as well as other sensitive authentication data. For large companies that have massive stores of customer data, much of the non-PCI compliant data may predate the PCI compliance requirement by several years.
This sensitive data is often overlooked by the merchants and processors storing the data since the PCI compliance requirements are such a relatively recent security requirement. If you have customer data that was stored prior to January 1st 2008 (after which, of course, everything moving forward meets current PCI compliance standards) it could be a data compromise liability waiting to happen. You can count on thieves and hackers exploiting this oft overlooked area of stored data management. So despite the potentially daunting task of converting or purging stored data going back years, the risk of loss is too great.
One industry servicer reported that a common phenomenon of off-site stored data is the physical loss of said data in tape backup or other magnetic storage format. One such case involving a US retail credit management company revealed a recent discovery of missing back-up tape data. The lost data included over six hundred and fifty thousand credit card numbers from its 230 US retailers. In addition, the lost back-up tapes contained about one hundred and fifty thousand social security numbers belonging to cardholders.
Next week we’ll try to find out some tips for tacking the seemingly insurmountable task of rendering data that you must continue to store for business or legal purposes. See our home page for information on how you can make your business PCI compliant for absolutely nothing!