Foregenix: Foregenix data discovery project reveals unprotected sensitive customer cardholder data on merchants’ systems

Digital forensics and incident response specialist, Foregenix, has announced the results of its data discovery projects conducted across 40 companies over a five month period spanning January to May, 2011. The FScout data discovery tool from Foregenix found over 100 million unique PANS (primary account numbers) residing on the participating companies’ systems. It was also able to identify over 1,000 instances of Track 1 data and over three million instances of Track 2 data – the full magnetic strip on payment cards, allowing cloning of the cards if stolen. The confidential trial was conducted with companies of varying sizes from a number of industries including acquiring banks, retailers, hospitality and ecommerce companies.

The results confirmed that most companies are unaware of the sensitive cardholder data that is lying dormant on their systems. Identifying this legacy data is crucial, as is the means of handling it after discovery. Companies must retain and protect only what is absolutely necessary for business, and delete everything else in a secure fashion; specifically, Track 2 data should never be stored after a transaction has been authorised. Identifying and protecting/deleting this data effectively reduces the cost and complexity of achieving and maintaining PCI DSS compliance and reduces the risk of cardholder data compromise.

“Our trial showed that many merchants have no visibility over the unprotected data that they are storing,” says Benjamin Hosack, director of Foregenix. “Data Discovery tools assist businesses in identifying unprotected legacy cardholder data, and through regular monitoring provides them with assurance that they are not exposed to unnecessary risk. Acting as an early warning, these tools will alert businesses as soon as unprotected data is identified in business systems. Data leakage could be from mis-configurations of payment systems, changed business processes or malicious behaviour; all of which need to be managed efficiently to reduce risk.”

While many large merchants are working towards full PCI DSS compliance, Level 4, or smaller merchants, are still being compromised frequently. In fact, 96% of data compromises in 2010 took place in this sector.

“The target remains the same for attacks. Cybercriminals want cardholder data,” continues Hosack. “We have seen businesses of all types falling victim to attack through a variety of methods. With the majority of attackers identifying unprotected cardholder data companies need to act now to protect their businesses and customers.”

About Foregenix
Foregenix is an independent, specialised information security business, headquartered in the United Kingdom, with a global service delivery capability. The Foregenix team has been closely involved with the Payment Card Industry since the inception of the security standards in 2004, and have carried out PCI DSS assessments, PA-DSS assessments, penetration tests and forensic investigations on hundreds of organisations during this time. Its technical team has extensive experience in digital security, having worked as security consultants, analysts and engineers in a wide array of environments; including global financial institutions, global networking and security providers.

About FScout Enterprise
FScout Enterprise is a rapid and accurate solution, providing users with centralised reporting and comprehensive false positive management using its Adaptive Dynamic Management System (ADMS). The software’s scalability makes it easy for both small businesses and large enterprises to identify and monitor for ‘rogue’ data. It also maintains the integrity of the host computer while performing scans so does not interrupt daily activity.

For more information please contact:
Liam Collis or Nikki Scrivener
Fourth Day PR
+44 (0)20 7403 4411
liam@fourthday.co.uk or nikki@fourthday.co.uk