How to Reduce Security Risks Associated with Storing Credit Card Data

By Mark Johnson  |  Posted 2010-03-08 Print this article Print

Companies that store credit card data expose themselves to a great deal of risk, whether they want to or not. If a risk assessment process is implemented, then the risks and exposures are identified. A plan can be put into place to help reduce or minimize a data breach attempt. As Knowledge Center contributor Mark Johnson explains here, to remove the risks associated with storing credit card data, companies are turning to trusted third parties who have demonstrated data security as a core competency.

Companies that follow best practices in data security have a risk assessment program. As outlined by the United States General Accounting Office (GAO), risk assessments "provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Since risks and threats change over time, it is important that organizations periodically reassess risks and reconsider the appropriateness and effectiveness of the policies and controls they have selected." When a company decides to store specific data, they inherently accept the risk by doing so-whether the company wants to or not.

If the data that a company stores happens to be credit card data (or more general, payment card data including the account number), then there are regulations, guidelines and even significant risks associated with this type of data. Companies that store such data, or have a third party storing it on their behalf, fall under the scope of the Payment Card Industry Data Security Standard (PCI DSS). This standard specifically states that "the Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements. If a PAN is not stored, processed, or transmitted, the PCI DSS does not apply."

Reasons for data storage risks

So why are there significant risks involved with storing this data? It is because of the resulting ease and inappropriate use of such data if it were to be exposed or breached. According to Visa, hackers are looking for software that stores sensitive cardholder data as well as personal information to perpetrate identity theft. Hackers are also looking to track data and payment account numbers. By having the data in its possession, a company increases the possibility of and exposure to malicious activity against the company's data repositories.

Moreover, it also doesn't matter the size of a company storing this possibly exposed data to the risks of hacker activities. Although data breaches resulted in the largest number of compromised accounts, small Level 4 merchants (those processing less than 20,000 e-commerce transactions annually) account for more than 85 percent of all compromised events. There is no immunity to any company in the hacker community. It's the data that is the main target of malicious activity.

Mark Johnson is CIO of ProPay. Mark has over 24 years in the IT industry. Prior to joining ProPay in early 2008, Mark was senior vice president of IT and security officer for one of the nation's Top 25 issuing and acquiring banks. Mark's experience includes software development of financial systems for a multibillion dollar organization, director of computer science for a Salt Lake City-based junior college, and director of technology operations for FranklinCovey. Mark has also served in the United States Air Force as a statistician where he earned the Air Force Commendation Medal. Mark holds a Bachelor's degree in Computer Science from Idaho State University and a Master's degree in Business Administration from the University of Phoenix. Mark is also a Certified Payment-Card Industry Security Manager (CPISM). He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel