RSS Alerts

Share

More services

Related Stories

  • Two-thirds of PCI DSS compliant firms had no credit card breaches
    A full 64% of organizations that are compliant with Payment Card Industry’s Data Security Standards (PCI DSS) had no breaches involving credit card data over the past two years, according to a new study by the Ponemon Institute and database security firm Imperva.
  • Small and mid-sized retailers lax on credit card security, survey finds
    Less than half of the small to mid-sized retailers surveyed had completed a Payment Card Industry Data Security Standard (PCI DSS) self-assessment, according to a poll by the National Retail Federation and First Data Corp.
  • Global standard needed for credit card data encryption, PCI council says
    A global standard is needed for point-to-point encryption (P2PE) technology used to secure credit card transactions, according to Troy Leach, chief standards architect at the PCI Security Standards Council. Standards are needed to ensure consistency and enable verification of the technology’s performance, he said.
  • Credit Card Transactions: Held to a Higher Standard
    There are numerous access points for thieves to make off with credit data, with just as many fraud techniques available. Drew Amorosi surveyed experts in the field to get their opinions on fraud trends, the effectiveness of standards, and what can be done to protect merchants and customers alike, and not just the ‘five families’ of the credit card Cosa Nostra.

Top 5 Stories

News

Small merchants make up lion's share of credit card breaches

19 May 2011

A full 90% of breaches of credit card information occur at the small merchant level, according to a survey by Trustwave.

Trustwave said that small merchants have been slow to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS). “The big constraints [on small merchants] are time and money”, said Greg Rosenberg, qualified security assessor at Trustwave.

One of the findings that surprised Rosenberg in the study, Payment Card Trends and Risks for Small Merchants, was the relatively short amount of time it takes for merchants to achieve their initial PCI DSS compliance. “About 82% of all of the merchants we dealt with…were able to complete PCI DSS compliance in under 12 hours”, he told Infosecurity.

Another finding that stood out for Rosenberg was that areas where small merchants are often deficient in terms of PCI DSS compliance are not expensive to fix. “These were things like having proper policies and procedures in place and security awareness training; these are low cost items that can be relatively easy to institute”, he said.

Smaller merchants tend to rely on their acquirer or independent sales organization (ISO) to initiate PCI DSS compliance validation. Without directive or enforcement of such initiatives, many will forgo basic steps to protect their networks and their customers’ cardholder data because they feel they do not have the time or the proper resources, or they’re just not aware of the requirement, the survey found.

These institutions, often referred to as the program sponsors, help enforce compliance, mitigate risk and in turn, provide a security benefit for the merchant, as well as the greater population by helping to combat data security threats.

The report, which was a supplement to Trustwave’s 2011 Global Security Report, also found that two groups – food and beverage and retail – made up 75% of all credit card breaches. Of those breaches, 85% affected small merchants.

“Food service tends to lead the pack [in data breaches]. The first challenge for them is that they are using broadband connectivity. They are not using the traditional stand-alone terminals….With the additional network complexity obviously comes the opportunity for someone half way across the world to reach into their network and exploit vulnerabilities that haven’t been addressed”, Rosenberg observed.

The food and beverage industry accounts for a large portion of merchant portfolios as well. So there is a direct correlation that leads these businesses to be more highly weighted in the survey”, he said. “There tends to be high turnover, and they are a fast-paced industry”, he added.

Other key findings in the report showed that merchants that fail to validate compliance with the PCI DSS fail at six of the 12 requirements more than 90% of the time. These statistics provide further evidence that ISOs and acquirers should implement compliance programs to help secure their merchant population, the survey said.

This article is featured in:
Compliance and Policy  •  Data Loss  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions | Privacy | Website Design| Reed Exhibitions. All rights reserved. Copyright © 2013
We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×