You'd better hope that next time you pay by credit card the merchant's point-of-sale system doesn't store personal data swiped from your card's magnetic stripe.
Storage of magnetic stripe data is the number one cause of credit card data breaches, according to a new security bulletin released by Visa and the U.S. Chamber of Commerce. It's also a violation of the PCI Data Security Standard (PCI DSS) to store this data after credit card authorization has been completed during a transaction. (See Credit Card Giants Modify Security Specs.) The bulletin lists the top five vulnerabilities that compromise credit cards, based in part on fraud control data gathered by Visa.
The purpose of the bulletin is to promote compliance with the Cardholder Information Security Program (CISP) and PCI DSS, and to raise awareness among smaller businesses, which are the majority of the U.S. Chamber of Commerce's membership.
"We have 3 million members, 96 percent of which are small businesses," says Mike Zanis, a lobbyist for technology and electronic commerce at the U.S. Chamber of Commerce. "They are the first line of defense."
Attackers can easily duplicate a credit card just by getting the data stored in a magnetic stripe, such as a PIN number, so if merchants are storing this data they are leaving it vulnerable to exposure and ultimately, credit card fraud, according to Visa. Trouble is, many merchants don't realize their POS systems by default store this data.
The other major culprits of compromised credit card data include:
Known and newly discovered software vulnerabilities are a popular conduit for an attacker to break into a system to get credit card data, according to Visa, so businesses need to ensure they are up to date with security patches issued by their vendors.
And merchants and other small businesses should be sure to turn off default settings and passwords that come with products so the door isn't left open for an attacker. PCI DSS Requirement 2.1 requires that vendor defaults be changed before you install the system on the network, according to Visa.
Visa's bulletin also pinpoints SQL injection as a risk for credit card data compromises. Commercial shopping-cart products most recently have fallen victim to SQL injection attacks. SQL injection has also jumped to the second most popular flaw that attackers exploit in software, according to Mitre Corp. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)
And defaults in server software such as FTP and email services may not be necessary for all apps, so Visa recommends disabling them to close as many potential "holes" as possible that may get forgotten by system administrators during the patching and upgrade process, for instance.
Kelly Jackson Higgins, Senior Editor, Dark Reading