Merchants that are compliant with Payment Card Industry Data Security Standards (PCI DSS) are less likely to be victims of cardholder data breaches according to a new 2011 PCI DSS compliance trends survey.
According to survey data from Ponemon Institute and Imperva, 64% of the 670 participating merchants said they did not suffer a breach involving credit card information during 2010 while just 38 percent of non-compliant merchants reported data breaches.
Although these finding do not demonstrate causation, a direct correlation can be made; merchants that are PCI compliant are less likely be victims of data security breaches. It is that simple.
Benchmark your PCI compliance and data security protection efforts with peers with the 2011 PCI DSS Compliance Trends Study.
These statistics are born out in the following cases of recently announced data breaches at two major retailers and one open source e-commerce shopping cart.
Last month Sony announced two of the largest data breaches in history — 77 million users in one and 24 million in another. Alan Paller, Research Director of the SANS Institute, said Sony probably did not pay enough attention to security when it was developing the software that runs its network. He suspects the hackers entered the network by taking over the PC of a system administrator, who had rights to access sensitive information about Sony’s customers. They likely did that by sending the administrator an email message that contained a piece of malicious software that got downloaded onto his or her PC.
Earlier this month Michaels announced that PIN pads installed in 20 states were tampered with and used to steal cardholder data. While Michaels has not released details of how the PIN-pad system was breached, a common way criminals collect card data is through “skimming,” or putting a reader in the card slot of a PIN pad. They can skim the card number before the reader gets to read it. The data thieves are sophisticated and can often times stay one step ahead of prevention and enforcement.
Visa recently announced that merchants and/or their web hosting service providers using Version 2.2 or earlier of the open source osCommerce Online Merchant e-commerce solution software “shopping cart” may be vulnerable to fraud. Specifically, Visa warned in a recent public announcement that fraudsters are targeting merchants running vulnerable versions of the osCommerce software and are compromising the software remotely.
In addition to the warning above, Visa recommends that all merchants, web hosting service providers and acquirers take immediate steps to safeguard the payment system by employing an e-commerce solution that is compliant with the Payment Application Data Security Standard (PA-DSS) and by ensuring that they are using the most up-to-date version of any e-commerce solution.
At the end of the day PCI-DSS is one of the most effective data security regulations today and can significantly help companies improve their data security posture. Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don’t, period.