Do You Accept Credit Cards? How Credit Card Breaches Happen

If your business accepts credit cards for payment, then your a subject to the regulations of the Payment Card Industry.  This is known as PCI-DSS Compliance.  PCI compliance company Security Metrics recently released an infographic that shows the main compliance failures that lead to credit card breaches in 2017.  Here are some of the startling take-aways:

  • Businesses that took credit cards had one or more exploitable security vulnerabilities for over 4 years.
  • Credit card data at breached companies was captured and exfiltrated for an average of nine months.
  • 45% of companies were breached through insecure remote access technologies, such as RDP.
  • 21% of companies were breached through the use of malicious software programs, delivered often through phishing or spearphishing emails, or watering hole exploits.
  • 39% of companies were breached using memory-scraping software of the type used against Target, Neiman Marcus, Home Depot and many others.  This indicates that the breached companies failed to apply all security updates or use up-to-date anti-malware programs on their point of sales systems.
  • 97% of companies were breached even though they had firewalls in place.
  • 15% of firewalls did not meet PCI compliance requirements, many because they were too old and out-of-date.

Recent changes to PCI Compliance hold the business or retailer accepting credit cards responsible for financial losses due to a breach.  This means that you could be on the hook for the monetary value of fraudulent purchases made with the credit card numbers lost by your company, unless you can show that you are fully compliant.  This means more than just answering “yes” to the questions on your last SAQ, you need to demonstrate that you are actively meeting the standards laid out in the questionnaire.  If you don’t understand the technical requirements, you may need the help of an outside cybersecurity firm.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.