RSS Alerts

Share

More services

Related Links

Related Stories

  • High-tech hidden credit card gets plenty of exposure
    Smart card maker Dynamics has developed a credit card that hides a portion of a card holder’s number to provide security protection against theft. The card displays missing numbers on the front of the card as well as on the magnetic strip on the back when the user enters the correct password.
  • Credit Card Transactions: Held to a Higher Standard
    There are numerous access points for thieves to make off with credit data, with just as many fraud techniques available. Drew Amorosi surveyed experts in the field to get their opinions on fraud trends, the effectiveness of standards, and what can be done to protect merchants and customers alike, and not just the ‘five families’ of the credit card Cosa Nostra.
  • Scam targets Visa, MasterCard online verification services
    Trusteer recently warned that the Zeus (Zbot) financial malware is targeting online banking customers of 15 leading US financial institutions by exploiting two trusted credit card security programs – Verified by Visa and MasterCard SecureCode.
  • Judge puts temporary halt to international card scam
    An Illinois federal judge has put the kibosh, pending trial, on an international debit and credit card scheme that apparently milked victims’ accounts delicately – from pennies to dollars at a time.
  • Blippy suffers credit card number leak
    Shoppers’ social networking service Blippy suffered a security flaw late last week, after some of its users’ credit card numbers began appearing in search results.

Top 5 Stories

News

Malware, hacking are favorite methods to breach credit card data

04 October 2010

Malware and hacking are the most common methods that criminals use to obtain credit card information, according to a new report by Verizon Business.

Malware and hacking was used in 25% of credit card information breaches, followed by SQL injection (24%), and exploitation of default or guessable credentials (21%), Verizon said in a statement.

The statement said that the Payment Card Industry Data Security Standards (PCI DSS), developed in 2006 by the PCI Council to reduce fraud, work to prevent these and other methods of capturing credit card data.

"Our findings demonstrate that adherence to PCI DSS requirements can help organizations deter, prevent and detect likely security threats," said Peter Tippett, vice president of technology and innovation at Verizon Business.

The Verizon 2010 Payment Card Industry Compliance Report found companies that suffered credit card data breaches were 50% less likely to be in compliance with PCI DSS than companies that did not suffer breaches. In addition, only 22% of organizations were PCI DSS compliant at the time of their initial examination by Verizon.

The report is based on findings from 200 PCI DSS assessments conducted by Verizon in 2008 and 2009.

Verizon said that of the 12 PCI DSS requirements, three of them – protect stored data, track and monitor access to network resources and cardholder data, and test security systems and processes regularly – cover areas that are most vulnerable to security breaches. However, those three requirements are also the same ones that companies struggle the most to meet for PCI DSS compliance.

“A large proportion of the breaches tie back to relatively simple failures that, if the organization had really been doing what their policy said or if they had been checking or monitoring more closely, those breaches could have been avoided”, said Wade Baker, Verizon Business director of risk intelligence, during a podcast posted on the Verizon site.

Jen Mack, director of PCI consulting services at Verizon Business, said in the podcast that the report offers organizations measures to improve security against credit card data breaches. “There are several common sense recommendations in the report and they will resonate with a lot of people. They may seem simple, but when you are talking about security, you are talking about planning, doing, asking, and checking processes that you are putting place. Many organizations fail on these aspects.”

The report recommends the following data security best practices:

Build security in: Security needs to be built into business processes from the beginning, not added on. Organizations that adhere to this practice typically spend fewer resources and achieve more value from their compliance activities.

Do not separate compliance and security: Organizations that align compliance and security tend to achieve compliance with security regulations such as PCI DSS.

Treat compliance as a continuous process: Organizations should incorporate PCI DSS activities into their daily business operations. Organizations get into trouble when they approach PCI DSS as a monthly, quarterly, or yearly project.

Control data closely: Scope creep – where companies add activities above the PCI requirements in an attempt to ensure compliance – is a common problem with assessment activities. Discovering, tracking, and managing data are essential. The larger the scope of the assessment, the more costly and difficult it is for the organization to perform.

This article is featured in:
Compliance and Policy  • Data Loss  • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012