The vast majority of small merchants are still storing unencrypted card data and most don't even know it, according to statistics compiled by a security vendor.
To make matters worse, the stats improved only minutely over last year, according to SecurityMetrics Inc., the Orem, Utah-based security company.
Nearly 71% of the businesses that signed up in the last year to have their point-of-sale systems scanned for unencrypted data were storing it, says Greg Johnson, SecurityMetrics manager of strategic channel relationships.
That percentage, published this month in the company's Second Annual Payment Card Threat Report, represented a decline of just 0.24% from last year, Johnson says.
"In other words, they're still doing it," he says of storing unencrypted card data.
The real percentage of small merchants still storing unprotected numbers is probably higher than the study indicates because the sample consists of businesses that went to the trouble to request a scan of their systems, Johnson admits.
Of the 70.92% of businesses that were harboring unprotected data, the worst three categories accounted for 55% of the problem.
The biggest offender was financial services and insurance, which contributed 21% of the total.
Hospitality — the hotels and motels that like to keep guests' card numbers at least for the duration of a stay — was second worst. That segment contributed 18%.
Retailers, including everything from chains to mom-and-pop corner stores, were 16% of the total.
Others included the service industry, 10%; technology, 8%; communications and marketing, 7%; entertainment and health care, tied at 4% each; a catchall called unknown, 3%; education, also 3%; religious organizations and manufacturing, 2% each; and government and charity at 1% each.
SecurityMetrics put together the stats from scans of 2,754 machines, mostly point of sale systems, Johnson says.
It offers a product called PANscan that detects unencrypted data and reveals its location to users so they can delete it.
Getting rid of the unencrypted data requires a "secure delete" because a regular delete leaves it in a computer until something else overwrites it, Johnson notes. To securely delete something, a computer must proactively write new data in the place where the old data was stored.
Encrypting card numbers and ridding a system of unencrypted data helps prevent criminals from using the information to commit fraud, he says.
So-called "crimeware toolkits" now available online can make it easy for thieves to capture and use the encrypted data, Johnson says.
And a number of circumstances or actions can leave the vulnerable information in a system.
Improperly configured systems, for example, often store the unencrypted data, keeping it on hand without the merchant's knowledge, Johnson says.
Sometimes, employees store unencrypted data for future purchases because they don't realize the danger of data theft, he notes.
Taking orders by phone or via email also can lead to storing unencrypted information, Johnson says.
"They may have a homegrown shopping cart or billing system storing data," he adds.
The job of alerting merchants to the possibility that they may be making a home for unguarded data often falls to independent sales organizations and sales agents, says Johnson.
"The message here is that every ISO should encourage every merchant to make a very small investment in scanning for unencrypted data," he urges. "Most of these tools cost less than $100 per machine" for each scan.
Discovering and eradicating the unprotected data can prevent trouble, Johnson says, citing the example of a small Mexican restaurant that fell victim to a data breach and was forced to shut down after incurring a $100,000 fine.