Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:15 AM
Connect Directly

Visa Outlines Credit Card Risks

Visa, US Chamber of Commerce list top five causes of credit card data breaches

You'd better hope that next time you pay by credit card the merchant's point-of-sale system doesn't store personal data swiped from your card's magnetic stripe.

Storage of magnetic stripe data is the number one cause of credit card data breaches, according to a new security bulletin released by Visa and the U.S. Chamber of Commerce. It's also a violation of the PCI Data Security Standard (PCI DSS) to store this data after credit card authorization has been completed during a transaction. (See Credit Card Giants Modify Security Specs.) The bulletin lists the top five vulnerabilities that compromise credit cards, based in part on fraud control data gathered by Visa.

The purpose of the bulletin is to promote compliance with the Cardholder Information Security Program (CISP) and PCI DSS, and to raise awareness among smaller businesses, which are the majority of the U.S. Chamber of Commerce's membership.

"We have 3 million members, 96 percent of which are small businesses," says Mike Zanis, a lobbyist for technology and electronic commerce at the U.S. Chamber of Commerce. "They are the first line of defense."

Attackers can easily duplicate a credit card just by getting the data stored in a magnetic stripe, such as a PIN number, so if merchants are storing this data they are leaving it vulnerable to exposure and ultimately, credit card fraud, according to Visa. Trouble is, many merchants don't realize their POS systems by default store this data.

The other major culprits of compromised credit card data include:

  • Missing or outdated software security patches
  • Use of vendor-supplied default settings and passwords
  • SQL injection
  • Unnecessary and vulnerable services enabled by default on servers

    Known and newly discovered software vulnerabilities are a popular conduit for an attacker to break into a system to get credit card data, according to Visa, so businesses need to ensure they are up to date with security patches issued by their vendors.

    And merchants and other small businesses should be sure to turn off default settings and passwords that come with products so the door isn't left open for an attacker. PCI DSS Requirement 2.1 requires that vendor defaults be changed before you install the system on the network, according to Visa.

    Visa's bulletin also pinpoints SQL injection as a risk for credit card data compromises. Commercial shopping-cart products most recently have fallen victim to SQL injection attacks. SQL injection has also jumped to the second most popular flaw that attackers exploit in software, according to Mitre Corp. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

    And defaults in server software such as FTP and email services may not be necessary for all apps, so Visa recommends disabling them to close as many potential "holes" as possible that may get forgotten by system administrators during the patching and upgrade process, for instance.

    — Kelly Jackson Higgins, Senior Editor, Dark Reading

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Tips for Choosing Security Metrics That Matter
    Ericka Chickowski, Contributing Writer,  10/19/2020
    IoT Vulnerability Disclosure Platform Launched
    Dark Reading Staff 10/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-10-22
    A path handling issue was addressed with improved validation. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5. A malicious application may be able to overwrite arbitrary files.
    PUBLISHED: 2020-10-22
    An information disclosure issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.6, watchOS 6.2.8. A malicious application may disclose restricted memory.
    PUBLISHED: 2020-10-22
    A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6. An application may be able to execute arbitrary code with kernel privileges.
    PUBLISHED: 2020-10-22
    Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. An application may be able to execute arbitrary code with kernel privileges.
    PUBLISHED: 2020-10-22
    A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. A local user may be able to cause unexpected system termination or read kernel memory.