Malware and hacking was used in 25% of credit card information breaches, followed by SQL injection (24%), and exploitation of default or guessable credentials (21%), Verizon said in a statement.
The statement said that the Payment Card Industry Data Security Standards (PCI DSS), developed in 2006 by the PCI Council to reduce fraud, work to prevent these and other methods of capturing credit card data.
"Our findings demonstrate that adherence to PCI DSS requirements can help organizations deter, prevent and detect likely security threats," said Peter Tippett, vice president of technology and innovation at Verizon Business.
The Verizon 2010 Payment Card Industry Compliance Report found companies that suffered credit card data breaches were 50% less likely to be in compliance with PCI DSS than companies that did not suffer breaches. In addition, only 22% of organizations were PCI DSS compliant at the time of their initial examination by Verizon.
The report is based on findings from 200 PCI DSS assessments conducted by Verizon in 2008 and 2009.
Verizon said that of the 12 PCI DSS requirements, three of them – protect stored data, track and monitor access to network resources and cardholder data, and test security systems and processes regularly – cover areas that are most vulnerable to security breaches. However, those three requirements are also the same ones that companies struggle the most to meet for PCI DSS compliance.
“A large proportion of the breaches tie back to relatively simple failures that, if the organization had really been doing what their policy said or if they had been checking or monitoring more closely, those breaches could have been avoided”, said Wade Baker, Verizon Business director of risk intelligence, during a podcast posted on the Verizon site.
Jen Mack, director of PCI consulting services at Verizon Business, said in the podcast that the report offers organizations measures to improve security against credit card data breaches. “There are several common sense recommendations in the report and they will resonate with a lot of people. They may seem simple, but when you are talking about security, you are talking about planning, doing, asking, and checking processes that you are putting place. Many organizations fail on these aspects.”
The report recommends the following data security best practices:
Build security in: Security needs to be built into business processes from the beginning, not added on. Organizations that adhere to this practice typically spend fewer resources and achieve more value from their compliance activities.
Do not separate compliance and security: Organizations that align compliance and security tend to achieve compliance with security regulations such as PCI DSS.
Treat compliance as a continuous process: Organizations should incorporate PCI DSS activities into their daily business operations. Organizations get into trouble when they approach PCI DSS as a monthly, quarterly, or yearly project.
Control data closely: Scope creep – where companies add activities above the PCI requirements in an attempt to ensure compliance – is a common problem with assessment activities. Discovering, tracking, and managing data are essential. The larger the scope of the assessment, the more costly and difficult it is for the organization to perform.