A lack of credit card security standards can lead to data breaches
The study, called the Verizon Payment Card Industry Compliance Report, found that groups that suffered data breaches were 50 percent less likely to comply with minimum security standards than those that did not. In addition, only 22 percent of organizations were PCI compliant at the time of the investigation.
However, data breaches that may lead to fraudulent credit card debt are easily preventable, the report said. While 78 percent of organizations are not compliant with minimum PCI standards, the average group meets 81 percent of all procedures required. In fact, 75 percent were at least 70 percent compliant with testing procedures, meaning more vigilance may be all that's required to meet the lowest level of necessary security.
The study also found there is a correlation between the frequency of data breaches and the problems groups face when trying to become PCI compliant. Of the 12 requirements that make up PCI Data Security Standards, three of them – protecting stored data, tracking and monitoring access to network resources and cardholder data, and regularly testing security systems and processes – cover parts of compliance that are the most vulnerable.
Verizon also found that by comparing PCI assessment data and analysis of data breaches that can result in fraudulent credit card debt, it was able to identify the most popular attack methods used by scam artists. The use of malware and other hacking accounted for the largest portion at 25 percent, but SQL injections were close behind at 24 percent. The exploitation of default or guessable credentials – that is, passwords or login names that aren't changed from software standards or common phrases – was next at 21 percent.
More often, though, data breaches that may result in fraudulent credit card debt for customers or clients are the result of carelessness, such as lost or improperly secured computers or backup disks. Many times even simple encryption software can help to mitigate the threat of identity theft as a result of someone's sensitive personal or financial data being leaked.