Companies that follow best practices in data security have a risk assessment program. As outlined by the United States General Accounting Office (GAO), risk assessments "provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Since risks and threats change over time, it is important that organizations periodically reassess risks and reconsider the appropriateness and effectiveness of the policies and controls they have selected." When a company decides to store specific data, they inherently accept the risk by doing so-whether the company wants to or not.
If the data that a company stores happens to be credit card data (or more general, payment card data including the account number), then there are regulations, guidelines and even significant risks associated with this type of data. Companies that store such data, or have a third party storing it on their behalf, fall under the scope of the Payment Card Industry Data Security Standard (PCI DSS). This standard specifically states that "the Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements. If a PAN is not stored, processed, or transmitted, the PCI DSS does not apply."
Reasons for data storage risks
So why are there significant risks involved with storing this data? It is because of the resulting ease and inappropriate use of such data if it were to be exposed or breached. According to Visa, hackers are looking for software that stores sensitive cardholder data as well as personal information to perpetrate identity theft. Hackers are also looking to track data and payment account numbers. By having the data in its possession, a company increases the possibility of and exposure to malicious activity against the company's data repositories.
Moreover, it also doesn't matter the size of a company storing this possibly exposed data to the risks of hacker activities. Although data breaches resulted in the largest number of compromised accounts, small Level 4 merchants (those processing less than 20,000 e-commerce transactions annually) account for more than 85 percent of all compromised events. There is no immunity to any company in the hacker community. It's the data that is the main target of malicious activity.