The majority of UK businesses are breaching Payment Card Industry (PCI) data security standards by unwittingly storing customers’ credit card details. As a result, they are in danger of being slapped with a £500,000 fine by the Information Commissioner Officer if a data leak occurs as well as suffering reputational damage.
On average, each business is unknowingly storing more than 1,000 credit card records. However, in some cases the records can run into millions. Alarmingly, one company held more than 20 million credit card numbers on its servers while believing it had none.
The discovery was made by Ground Labs, an identity protection company, when it was conducting a survey of 1,000 companies in the UK and across Europe.
Mohamed Zouine, European director at Ground Labs, said: "We have more than 1,000 businesses across the UK and Europe that have used our software and every single business found erroneous card records in its IT system.... Even those businesses that believe that their systems are clean are carrying records that could be easily acquired by hackers."
Many of the compliance breaches can be attributed to standard computer processes such as browser caches, email duplications or transaction logs from banks. However, these processes can hold sensitive data that has a black market value in the wrong hands and can be used to defraud consumers.
With Christmas approaching and another strong season for e-commerce and credit card transactions predicted, the situation could become particularly acute, said Ground Labs.
Zouine added: "The issue for smaller businesses is that they are far less protected than large corporations. It is relatively easy for an entrepreneurial thief to steal IT equipment or hack in to a business and retrieve valuable credit card data."
According to Ground Labs £341m was stolen in the UK in 2011 through credit card fraud while hacking incidents have risen by 19% in the past six months. The UK is consistently among the top three most targeted countries and in August 2012 suffered 69% of worldwide phishing attacks.