Credit cards
Image via Wikipedia

Trustwave have released a supplement to their 2011 Global Security Report on Payment Card Trends and Risks for Small Merchants report.

According to the report, Merchants fail to achieve PCI DSS compliance in several areas with the Top 6 being:

99.2%   Track / Monitor Network Access
98.4%   Regularly Test Security
97.5%   Maintain a Firewall
95.1%   Maintain Internal Security Policies
92.6%   Assign Unique User Ids
90.9%   Develop Secure Systems and Applications

The report states, “approximately 90% of compromises came from the Level 4 merchant space in 2010.” The PCI DSS categories a Level 4 merchants as a businesses that process less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.

The top 5 Industry Sectors that experience a PCI DSS compromise are:

57.0%   Food and Beverage
18.0%   Retail
10.0%   Hospitality
6.0%   Government
6.0%   Financial

Breaches occur in 5 specific areas with the majority occurring because of weaknesses in software:

75.0%   Software POS
11.0%   Employee Workstation
9.0%   e-commerce
3.0%   Payment Processing
2.0%   ATM

The Report has the Top Five Areas where Merchants are Falling Short of Compliance as:

  1. Do you have written security policies and procedures that address the protection of paper with credit card numbers such as receipts and the physical security of your card processing device?
  2. Do you have a formal training program for all relevant employees that teaches them about security as it relates to credit cards, paper with credit card numbers on them and the devices that process credit card transactions?
  3. Do you or does anyone at your business log or record your customers’ credit card numbers in a computer, for example, in a back office computer, a laptop or financial application?
  4. Do you check your store or office for unauthorized wireless access points on at least a quarterly basis?
  5. Do you perform external (Internet) network vulnerability scans at least once per quarter?

Cost of non-compliance

Trustwave’s Report states “Fines have averaged $5,000 to $15,000 per card brand. We see forensic investigations start in the $10,000 to $15,000 range as well. Card re-issuance and fraud loss are dependent on the size of the breach. However, fines can vary greatly depending on a number of factors and can reach into the hundreds of thousands of dollars in some cases”.

Trustware www.trustwave.com

See the PCI Resources page for more details on PCI DSS

.