Scanning Microsoft Outlook exposes cardholder data on 80% of merchants

Billy Austin

outlook-graphic-221.pngAre you emailing customer orders with cardholder data? Quit it! Don't do that!

Cardholder data refers to information printed, processed, transmitted or stored in any form on a payment card. Organizations that accept cards are expected to protect cardholder data and, in most cases, this is mandatory. PCI DSS requirement 3.x explicitly outlines the testing procedures that need to be met. So what's the problem?

Given today's high volume of data breach news related to cardholder data, this blows me away and is consuming 100% of my coffee break time. I would think that common sense would have been applied by now. It's time for the industry to do something without a federal bill passing through Congress on who can carry Plastic, Square or Paper. Regardless of the call to action on encrypting, removing, or whatever remediation one chooses; identification and protection to only the "PCI Audit Zone" doesn't work in my opinion.

After querying numerous compliance and security colleagues, the number one response was "we address the areas that are needed in order to maintain compliance". Many were referring to PCI DSS, with a handful talking about HIPAA.

What other challenges keep one from assessing all endpoints? As I lifted my jaw from the ground, most responded with "data loss prevention is too expensive". Also, they were converting Outlook PST files to text and then running analysis. Rightfully so, I now understand one of many potential reasons why cardholder breaches are still a problem.

My colleagues and I discussed the issues at hand. We decided to research and apply the Microsoft Outlook scanning feature with a deliverable for anyone to scan their Outlook PST files anytime, anywhere. In fact, we decided to add ZIP and Office file formats also, and I'm glad we did. Currently, 80% of all customers are finding unencrypted credit card data in Outlook as well as the new formats.

See sample data discovery scan report (aka PAN Scanning) illustrating the file path, card brand, file format, and number of instances.

In summary, I am hoping this will contribute to mitigating cardholder data breaches. Now the question is, are your employees storing or emailing cardholder data? You can now find out easy and quickly; and a little hint, "don't forget to scan your remote workers." The results will be shocking if it is your first baseline data discovery scan assessment for cardholder data.

Happy scanning!