Do You Accept Credit Cards? How Credit Card Breaches Happen

If your business accepts credit cards for payment, then your a subject to the regulations of the Payment Card Industry.  This is known as PCI-DSS Compliance.  PCI compliance company Security Metrics recently released an infographic that shows the main compliance failures that lead to credit card breaches in 2017.  Here are some of the startling take-aways:

  • Businesses that took credit cards had one or more exploitable security vulnerabilities for over 4 years.
  • Credit card data at breached companies was captured and exfiltrated for an average of nine months.
  • 45% of companies were breached through insecure remote access technologies, such as RDP.
  • 21% of companies were breached through the use of malicious software programs, delivered often through phishing or spearphishing emails, or watering hole exploits.
  • 39% of companies were breached using memory-scraping software of the type used against Target, Neiman Marcus, Home Depot and many others.  This indicates that the breached companies failed to apply all security updates or use up-to-date anti-malware programs on their point of sales systems.
  • 97% of companies were breached even though they had firewalls in place.
  • 15% of firewalls did not meet PCI compliance requirements, many because they were too old and out-of-date.

Recent changes to PCI Compliance hold the business or retailer accepting credit cards responsible for financial losses due to a breach.  This means that you could be on the hook for the monetary value of fraudulent purchases made with the credit card numbers lost by your company, unless you can show that you are fully compliant.  This means more than just answering “yes” to the questions on your last SAQ, you need to demonstrate that you are actively meeting the standards laid out in the questionnaire.  If you don’t understand the technical requirements, you may need the help of an outside cybersecurity firm.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.