Card Compromise Statistics Prove that PCI DSS Compliance Protects Businesses and Customers

hrough October 29, 2008, Trustwave's forensics practice has investigated 443 cases of cardholder data compromise. The information contained within this article is the culmination of almost seven years of card compromise investigations.

Key Developments in 2008: The Theft of Cardholder Data in Transit

In 2008, the most notable development in payment card compromises is the theft of cardholder data at rest (stationary on a system component) to its theft in transit (moving through a system). Trustwave experts have noted that attackers, are stealing data in real-time by eavesdropping on a certain device and stealing the data as it passes to or through a particular system rather than stealing data that is stored on that system.

One example of this is an attackers' use of unauthorized applications--referred to as malware--that steals cardholder data from a computer's Random Access Memory. What's perhaps most unsettling about the trend is that a merchant can use a payment application that complies with the Payment Application Data Security Standard (PA-DSS) or Visa's Payment Application Best Practices (PABP), but still fall victim to a compromise.

Merchants and service providers must recognize that payment card security extends beyond just using PABP or PA-DSS validated payment applications and eliminating the storage of prohibited cardholder data. Any entity involved in the processing, storage or transmission of payment card data must ensure that they comply with the Payment Card Industry Data Security Standard (PCI DSS). In the cases of track data parsing from RAM that Trustwave has examined, the intruder gained the access necessary to execute the attack because the victim organization did not comply with the PCI DSS in full.

General Payment Card Compromise Statistics

The theft of cardholder data in transit is only beginning to impact Trustwave's compromise statistics. However, our experts expect the occurrence of these types of breaches to increase.

Below are more general statistics that, for the most part, have remained constant over the past few years.

Payment Card Acceptance Channel

Whether the compromised merchant accepts payment cards over the Internet, in person or over the telephone or through the mail; we see the greatest variation between North America and EMEA (Europe, the Middle East and Africa) cases. In North America, the majority of compromises investigated by Trustwave were of brick-and-mortar merchants. In EMEA, the majority of compromises investigated were of e-commerce merchants. This fact is the reason many of the statistics from North America and EMEA differ as they do.


Businesses involved in the food service and retail segments make up the majority of compromises investigated by Trustwave, with approximately half of the compromises occurring at food service locations. In North America, the majority of compromises occurred at food service establishments. In the EMEA region, the majority of Trustwave investigations were of payment card breaches at merchants within the retail sector.

Cases by Responsibility for Payment System Administration

Many North American merchants investigated by Trustwave use outdated payment systems or do not configure them securely. Misconfigured payment applications will store or insecurely transmit cardholder data that can be stolen by an attacker. Many times a third party configured those payment applications and so negligence on the part of the third party more often contributes to the payment card compromises investigated in North America. Because the use of outmoded payment applications is not as prevalent in EMEA as in North America, neither are the problems caused by third-party installation, configuration or maintenance of such payment applications. Common PCI DSS Failures of Compromised Merchants

For the most part, while the frequency of failure may be less, the PCI DSS requirements that compromised merchants fail to meet correspond in EMEA and North America. The PCI DSS requirements that compromised merchants failed to fulfill include:

  • Requirement 3: Protect stored cardholder data
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 12: Maintain a policy that addresses information security for employees and contractors

Cases by Technical Cause

Trustwave finds that five technical causes contribute to the majority of payment card compromises across both North America and EMEA:

  • SQL Injection: Exploiting flaws in a Web application to force a back-end database to disclose information stored in the database (such as cardholder data)
  • Remote Access: Accessing remote control software used to operate a computer from remote locations
  • Backdoor/Trojan: Installing malware onto a system to gain access to a network
  • Perimeter Security Issue: Lack of or insecurely configured perimeter security
  • Weak Passwords: Guessing authentication credentials (username and password)

The majority of compromises investigated by Trustwave in North America occurred due to insecure payment applications that store prohibited data; however, as previously noted, the theft of cardholder data in transit is on the rise.

SQL injection is the number one cause of compromise cases investigated by Trustwave in EMEA. Again this can be attributed to the fact that more e-commerce merchants are compromised in EMEA. An e-commerce merchant must have a public-facing Web site in order conduct business and so leaves a section of their system open for attack.

Conclusion and Merchant Action Items

The key take-away from this analysis of card compromise cases should be that merchants must comply with the PCI DSS. Plenty of data security pundits continue to disparage the standard. However, the PCI DSS provides a comprehensive security standard that if followed, prevents the theft of cardholder data. To protect themselves and their customers, merchants must take a holistic approach to data security--an approach such as that prescribed and explained in the PCI DSS. [end] 

Source Link

Recent Entries

CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. Credit Card Tokenization: Put All…
Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units…
Proximity (NFC) Mobile Payment Technology - Security Whitepaper
The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions,…
Look Beyond Hospitality Touch Screen Solutions
Whether you realize it or not, touch technology quickly is becoming the intuitive input delivery method of choice. Look no…
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve…
ATM Card Skimming and Pin Capture
ATM Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of…
Background - Use of Electronic Health Records in U.S. Hospitals
Report from New England Journal of Medicine on Electronic Health Records. Concludes - very low levels of adoption in U.S.…
PCI DSS in real life -- Requirement 1 Firewall
Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard)…
User Interface & Content - Can I Use My Website?
Web sites, self-service can play nicely together according to Jim Kruper of Kioware.  With the increasing number of devices that…
Resource Link - Understanding credit card transaction fees
Merchants accounts, gateways and rates. Having your kiosk process credits cards swiped locally (card present) come with regulatory standard considerations…
Whitepaper - Introduction to CFM or Customer Flow Management
CFM or Customer Flow Management systems are found in more verticals/markets than any other application. Here is a technical document…
Compliance Resource: ETA and Electronic Transaction Compliance
Worth noting Heartland Payment Systems and RBS Worldpay have been removed from Visa Inc.'s list of PCI compliant service providers and…
Going beyond current PCI security standards
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior…
ADA Requirements - Changes in California
In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became…
Opinion - Why is Redbox Afraid of the iPhone?
Over the last few years, Redbox has been able to build an impressive DVD rental network by being innovative and…
Research Report - Touchscreen Check-In: Kiosks Speed Hospital Registration
March 2009 -- Patient self-service kiosks are being used with growing frequency in hospital ambulatory settings and emergency departments. These interactive…
Cloud Computing - What is it?
Cloud computing resources question was raised by a member of Health Infomatics group we participate in. Health technology right now…
Heartland Put on Probation for Security Breach
Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the…