Visa, US Chamber of Commerce list top five causes of credit card data breaches

You'd better hope that next time you pay by credit card the merchant's point-of-sale system doesn't store personal data swiped from your card's magnetic stripe.

Storage of magnetic stripe data is the number one cause of credit card data breaches, according to a new security bulletin released by Visa and the U.S. Chamber of Commerce. It's also a violation of the PCI Data Security Standard (PCI DSS) to store this data after credit card authorization has been completed during a transaction. (See Credit Card Giants Modify Security Specs.) The bulletin lists the top five vulnerabilities that compromise credit cards, based in part on fraud control data gathered by Visa.

The purpose of the bulletin is to promote compliance with the Cardholder Information Security Program (CISP) and PCI DSS, and to raise awareness among smaller businesses, which are the majority of the U.S. Chamber of Commerce's membership.

"We have 3 million members, 96 percent of which are small businesses," says Mike Zanis, a lobbyist for technology and electronic commerce at the U.S. Chamber of Commerce. "They are the first line of defense."

Attackers can easily duplicate a credit card just by getting the data stored in a magnetic stripe, such as a PIN number, so if merchants are storing this data they are leaving it vulnerable to exposure and ultimately, credit card fraud, according to Visa. Trouble is, many merchants don't realize their POS systems by default store this data.

The other major culprits of compromised credit card data include:

  • Missing or outdated software security patches

    • Use of vendor-supplied default settings and passwords

    • SQL injection

    • Unnecessary and vulnerable services enabled by default on servers

      Known and newly discovered software vulnerabilities are a popular conduit for an attacker to break into a system to get credit card data, according to Visa, so businesses need to ensure they are up to date with security patches issued by their vendors.

      And merchants and other small businesses should be sure to turn off default settings and passwords that come with products so the door isn't left open for an attacker. PCI DSS Requirement 2.1 requires that vendor defaults be changed before you install the system on the network, according to Visa.

      Visa's bulletin also pinpoints SQL injection as a risk for credit card data compromises. Commercial shopping-cart products most recently have fallen victim to SQL injection attacks. SQL injection has also jumped to the second most popular flaw that attackers exploit in software, according to Mitre Corp. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

      And defaults in server software such as FTP and email services may not be necessary for all apps, so Visa recommends disabling them to close as many potential "holes" as possible that may get forgotten by system administrators during the patching and upgrade process, for instance.

      — Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights