Having worked in cardholder data discovery for over a decade, we’ve developed a keen understanding of some of the most common reasons organisations tend to have unprotected cardholder data.
The most common places where cardholder data is stored are databases, servers and file systems that have a direct involvement in processing card data. But for the purposes of this article, we wanted to take a moment to investigate the unexpected places a substantial amount of cardholder data can build up, but these places are often overlooked by organisations in their initial scoping and scanning work. To that end, here are some of the weird and wonderful places you might be unintentionally storing cardholder data.
Forms
A key way that many organisations interact with their customer base is via web forms. Whether there is a simple ‘contact us’ entry on your website, or a more in-depth application form, forms are an area where cardholder data is often unintentionally received, which leads to it being stored, and backed up in an insecure way. This flow of information can often lead to a costly cardholder data problem for organisations. Sometimes customers are trying to be ‘too helpful’ and use a free text field inside a form to enter their full Primary Account Number (PAN – the 16-digits on the credit card), hoping that this will help with servicing their request, which might relate to a sign-up, refund, or other requests for information. Other times, muscle memory takes over, and where the customer thought the card number field was turned out to be the name field, a field that is typically not protected before the information is stored. This can lead to card numbers in logs or stored in a database in an unprotected column.
To prevent new data from being stored, we advise customers to really ‘lock down’ their forms as much as possible, ensuring that only the required text, numbers, or other special characters for a particular field can be input against each specific entry. This can be especially challenging though in a free-text field where you have to have a process to review and scrub only part of the data. It’s also important to make sure that the instructions and workflow is extremely clear for a user, noting both the information you ‘do’ and ‘don’t’ want to be collecting from the outset.
Going hand-in-hand with forms, email also represents an area where cardholder data is often received and stored unintentionally. This usually involves a breakdown in business process or that same ‘helpful customer’ again. Perhaps the biggest difference between email and forms is that these cards can be the result of customer or employee errors.
Sometimes customers try to provide all their details to ensure they have an order processed for them as soon as possible and want to email the first address they can find. In even more cases, card numbers get emailed to support addresses to help with refunds to let the company know what card was used for the purchase and maybe provide even a different card to perform the refund.
Sometimes staff members either fail to follow secure business processes, or there is no process to begin with. Here we’re talking about things like a customer service representative asking for a full card number to process a refund. The reality is that most systems are set up to only need at a maximum the first six and last four digits. But if the process means they have to get someone to log in to the database and find the transaction reference, then get someone to use the token to find out the digits relating to the card number, and then they have to use that subset of numbers to do a refund, it can take a while. But if they just get the card number right from the customer it’s a lot faster, right?
In fairness to these staff members, on many occasions, they have not been adequately trained to understand what risk this activity can represent, or in just as many there simply isn’t a secure business process that needs to be followed when handling cardholder data.
When we think about mitigation steps for emails, a lot of this will come down to organisation-wide awareness and training being a core and ongoing activity. Technical controls like inbound Data Loss Prevention (DLP) and regularly scanning high-risk business units’ assets is also a good control here.
Browser Cache
Finally, sometimes it’s our browser that wants to help. A web browser cache can often be an unexpected store of cardholder data (have you ever seen your browser ask if you want to save your card for future purchases? (Some browsers even let sites check to see if you have payment information stored in the browser). Although some websites are designed in a way that prevents cards from being ‘auto populated’ by the browser, this is unfortunately not always the case and can lead to users either intentionally or unintentionally storing cards where they shouldn’t be. In practice, this covers a few use cases which include staff members using a web-based SaaS-type portal while processing cards as part of their role, right through to making personal online purchases using browsers that helpfully save your card cards. All of this of course results in the storage of vulnerable cardholder data.
Mitigation here comes down to ensuring that critical websites are both secure and have cache limiting in place. Staff should also be aware of the risk presented by this and actively encouraged not to allow cardholder data to be stored via cache whenever they are interacting online. Make sure to train your users on how to disable settings like “Save and fill payment methods” in their browser settings.
To Conclude
While these represent just a few of the ‘weird and wonderful places you can unintentionally store cardholder data’, it does provide an eye-opening look into common themes that can be seen across an organisations’ environments. This is by no means a conclusive list and the usual ‘information repositories’ that tech teams usually target first are also important when it comes to locating cardholder data.
At the end of the day, what’s clear when looking at the cardholder data problem is the fact that no single technical control provides the answer to addressing this issue and many of the controls will only help you prevent the problem in the future – they won’t find or clean up what’s already there. What is often required is a shift in the mindset or culture of handling sensitive information across an entire organisation. This being the case, it’s only with the full support and endorsement of senior stakeholders that this shift is ever likely to succeed. Investing in technology, process, and most importantly people will always be of vital importance to ensuring that customer data is being treated with the utmost care.
Here at Quasar, the team is committed to not only uncovering where unprotected cardholder data has increased your risk but more importantly, why the data is there and how you can take the practical steps to fix the problem in an enduring way.
