Do You Accept Credit Cards? How Credit Card Breaches Happen

If your business accepts credit cards for payment, then your a subject to the regulations of the Payment Card Industry.  This is known as PCI-DSS Compliance.  PCI compliance company Security Metrics recently released an infographic that shows the main compliance failures that lead to credit card breaches in 2017.  Here are some of the startling take-aways:

  • Businesses that took credit cards had one or more exploitable security vulnerabilities for over 4 years.
  • Credit card data at breached companies was captured and exfiltrated for an average of nine months.
  • 45% of companies were breached through insecure remote access technologies, such as RDP.
  • 21% of companies were breached through the use of malicious software programs, delivered often through phishing or spearphishing emails, or watering hole exploits.
  • 39% of companies were breached using memory-scraping software of the type used against Target, Neiman Marcus, Home Depot and many others.  This indicates that the breached companies failed to apply all security updates or use up-to-date anti-malware programs on their point of sales systems.
  • 97% of companies were breached even though they had firewalls in place.
  • 15% of firewalls did not meet PCI compliance requirements, many because they were too old and out-of-date.

Recent changes to PCI Compliance hold the business or retailer accepting credit cards responsible for financial losses due to a breach.  This means that you could be on the hook for the monetary value of fraudulent purchases made with the credit card numbers lost by your company, unless you can show that you are fully compliant.  This means more than just answering “yes” to the questions on your last SAQ, you need to demonstrate that you are actively meeting the standards laid out in the questionnaire.  If you don’t understand the technical requirements, you may need the help of an outside cybersecurity firm.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.