James Bickers is the editor of Retail Customer Experience, a sister site of Self-Service World. To submit a comment about this story, e-mail Tracy Kitten.
ANNAPOLIS, Md. — New research from global payment security consultancy Trustwave analyzes the most common methods and targets of recent card breach incidents, and the results may surprise merchants.
Trustwave collected hard data from 400 recent cardholder data compromise incidents, and analyzed them to find the latest attack trends and techniques.
Among the findings:
- The vast majority of all of the incidents — 9 out of 10 — were aimed at small merchants - a big change from just a few years ago, when big merchants were the primary target. Now that those larger entities are paying closer attention to payment security, attackers are moving on to easier targets.
- Despite the emphasis often placed on payment security in the online channel, 69 percent of the attacks were card-present.
- Most of the attacks (52 percent) were in foodservice, with retail a distant second (27 percent).
- The most commonly attacked target (67 percent) is POS software, with online shopping far behind (25 percent).
- Just who is to blame for those improperly configured systems? Sixty-three percent of the time it's a third party — a POS developer, an integrator or a local IT firm.
- One of the requirements of the PCI data standard is that merchants must not improperly store detailed card data — "track data," the magnetically encoded information that, if placed in malicious hands, can be used to make any number of duplicate cards. Distressingly, 95 percent of brick-and-mortar merchants surveyed are running non-compliant software and are storing track data. Online merchants aren't doing much better — 60 percent of them are improperly storing CVC (card validation code) data, those extra digits on the front or back of a card that aim to provide one extra layer of security.
- Top Ten methods of card data compromise1. SQL injection 2. Backdoor/trojan 3. Remote access issues 4. Perimeter security issues 5. Weak passwords 6. Remote exploit 7. Keystroke loggers 8. Internal attacks 9. Physical security issues 10. Wireless
