Why Are So Many Payment Processors Still Fumbling With Card Security?

In the world of payment processors, card security is crucial. Yet many are failing to adequately protect their databases, leaving millions of consumers vulnerable to having their sensitive information stolen.

Payment processors deal with debit and credit card transactions on behalf of businesses and other merchants; they verify payments in order to prevent fraud, requiring them to process, and often store, large volumes of card details and corresponding personal information. But an alarming number aren’t handling this data responsibly.

A recent example is nCourt, a payment processor used by local governments to collect court fines and utility bill payments from residents in Arkansas and Oklahoma. The firm, which operates the payment sites courtpay.org and utilitypay.org, inadvertently left a cache of data pertaining to several years’ worth of transactions accessible on its website.

The exposed information contained records of 143,000 transactions across the two sites, each of which included the name, postal and email addresses, and partial card details of the payee. Some transactions also included incomplete bank account details and dates of birth.

An investigation by TechCrunch discovered that the data, which was not encrypted, was left exposed for at least five months and subsequently shared on a popular hacking forum.

But nCourt is not alone in blundering when it comes to the card security of its users. There have already been several other cases of payment processors failing consumers since the start of this year.

Payment Processors Failing to Protect Consumers

While there are numerous recent examples of payment processors failing to protect people’s data, two of the most worrying concern the companies Paay and Conerstone Payment Systems.

Conerstone, which provides its services to organizations like nonprofits, ministries and churches, was found to have left a database containing 6.7 million payment records online without any form of password protection. The available data contained transaction information dating back as far as 2013 and was still being regularly updated when the shortcomings in Conerstone’s security protocols were discovered.

Again, each recorded transaction contained the partial card details, as well as the name, email and often postal addresses, of each payee. In this case, records also stated the card type, the date and time of the transaction, the name of the merchant and, in cases of donations or commemorations, notes from the customer explaining the purpose of their purchase.

Paay, a New York-based payment processor, was found to be similarly lax with a database containing approximately 2.5 million individual card transactions made between September 2019 and this April.

An investigation found that each of the transactions contained the full credit card number and expiry date of the card used, as well as the amount spent, though not the cardholder name or verification value. It should be noted that company co-founder Yitz Mendlowitz disputes the claim that Paay stored card numbers, though another TechCrunch exposé asserts that, upon presenting him with evidence of card numbers found on the database, they received no reply.

The documented transactions spanned multiple merchants and were once again found on a server that was not password protected, making them accessible to anybody who cared to look.

These are just a few examples of payment processors falling short in their duty to protect consumers by securing their own databases; Cornerstone, Paay and nCourt are not alone in mishandling sensitive data and leaving it exposed to the advances of prospective cybercriminals.

But if these kinds of companies acknowledge their responsibility and are willing to make the necessary changes to their data-handling protocols, there are a number of steps they can take in order to increase card security.

How Can Payment Processors Increase Card Security?

Many of the measures required for payment processors to adequately protect their databases are centered on clearly-defined systems and increased accountability, but while the majority seem like common sense, a significant number of companies still aren’t implementing them.

One upside of this is that there are numerous, relatively simple practices which payment processors can adopt that will instantly improve their existing levels of card security:

  • Require authentication to access the database. This should only be provided to a select pool of authorized users for whom access is absolutely necessary.

  • Grant minimum permissions to all users of the database; no user should have permissions that exceed the requirements of their job function. If possible, grant permissions through roles rather than directly allocating them to user IDs.

  • Document the procedure for providing and reviewing the database. Assign a data proprietor and ensure they read and sign this document.

  • Enforce strong passwords across the entire network. Encrypt database passwords when storing them or transmitting them over the network.

  • Applications to access the database should require individual logins and authorizations, established by providing IDs and passwords that are secured. Secured login credentials should not exist on the client workstation.

  • Avoid establishing public grants in databases which also contain protected information. If this is not possible, any public grants must be documented. 

  • Non-DBA accounts should not be able to grant roles or permissions within a database containing protected information.

  • All accounts with access to the database must be locked after an established number of failed login attempts.

  • The data proprietor should approve a procedure for addressing inactive users, and this procedure should be documented.

  • DBAs should provide the data proprietor with a report of elevated data permissions each quarter.

  • The data proprietor should also be provided with reports of all users’ access rights at six-month intervals.

Ultimately, in order to avert data loss or leakage and prevent unauthorized access to sensitive information, payment processors must take conscious steps to protect their databases. Despite the increasing prevalence of online hackers, many cases of poor card security still stem from complacency. Given the potential ramifications for consumers, this kind of inaction is inexcusable.


The necessary steps to secure sensitive information aren’t difficult; simple, carefully considered security protocols need to be established, and the employees tasked with implementing them clearly defined. Payment processors should no longer expect forgiveness for failing to protect consumers.