PCI Compliance

Your account data is a target!

2012 – Payment card data made up 48% of data breaches investigated and was also the 2nd largest volume of records affected.
2013 – Payment card data targeted in 61% of breaches investigated.

The following methods were identified as being used to remove stolen data from the environments*:

  • 76% exploited weak or stolen credentials
  • 52% involved some form of hacking
  • 40% incorporated malware
  • 35% involved physical attacks
  • 29% leveraged social tactics

* Sources: Trustwave 2013 Global Security Report Verizon Data Breach Investigations Report 2012 and 2013

So how do criminals get the tools they need to steal payment card data?

Unfortunately, a number of tools designed to promote criminal activity can be found on the Internet, and criminals set up their own online communities to share data and information.

Additionally, card writers used to propagate payment card fraud can be readily purchased. Card-writing software can also be found in hacker communities, often for free download.

Common methods for monetizing stolen card data:

Skimmed full track data and transaction information used to replicate a physical payment card, which can then be used for fraudulent transactions in face-to-face environments, or ATM transactions
Captured cardholder data is used where card-not-present transactions are accepted, such as e-commerce or mail-order / telephone order (MO/TO) transactions
Stolen cardholder data and sensitive authentication data are sold in bulk to other criminals who perform their own fraud using the stolen data

Stolen payment card data is traded like a commodity, and its value can fluctuate according to market circumstances.

In July 2013, news coverage of a breach where multiple organizations were targeted reported that the stolen payment card numbers were valued at between $10 and $50 each in some markets.

Commonly targeted industries* include:

  • Retail – 45% of breaches
  • Food and Beverage – 24% of breaches
  • Hospitality – 9% of breaches
  • Financial Services – 7% of breaches
  • Nonprofit – 3%

* Trustwave 2013 Global Security Report
* 2013 Verizon Data Breach

Investigations Report

Major payment card processor (2005) – 40 million cards lost
Accessed a database with direct connectivity to the Internet.
Company no longer in business.

Major clothing retailer (2007) – 45.7 million cards lost
Malware used to skim account data as it was processed for 18 months.
Reports suggest direct costs for the breach cost 256 million USD.

Payment processor (2009) – 160 million cards lost
Malware was used to capture cardholder data as it was processed.
Reports suggest direct costs for the breach cost 171 million USD.

US food based retailer (2013) – 1.8 million cards lost
Malware installed at the POS was skimming account data as data was captured.
Estimated costs could exceed 80 million USD.

These are some of the top mistakes as revealed by forensic audits:

  • Weak or default passwords
  • Lack of employee education
  • Security deficiencies introduced by third parties
  • Slow self-detection
  • These are all basic security principles that, when properly implemented, can play a significant role in reducing the impact and severity of a breach.

 

PCI DSS and the other PCI security standards help provide a multi-layered approach to protect cardholder data, which includes people, process, and technology.

Think the next victim won’t be you? Contact Envoy today and learn how we can assist you in your data security compliance initiative!