PCI Compliance Risks for Small Merchants and where they are failing

Credit cards

Image via Wikipedia

Trustwave have released a supplement to their 2011 Global Security Report on Payment Card Trends and Risks for Small Merchants report.

According to the report, Merchants fail to achieve PCI DSS compliance in several areas with the Top 6 being:

99.2%   Track / Monitor Network Access
98.4%   Regularly Test Security
97.5%   Maintain a Firewall
95.1%   Maintain Internal Security Policies
92.6%   Assign Unique User Ids
90.9%   Develop Secure Systems and Applications

The report states, “approximately 90% of compromises came from the Level 4 merchant space in 2010.” The PCI DSS categories a Level 4 merchants as a businesses that process less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.

The top 5 Industry Sectors that experience a PCI DSS compromise are:

57.0%   Food and Beverage
18.0%   Retail
10.0%   Hospitality
6.0%   Government
6.0%   Financial

Breaches occur in 5 specific areas with the majority occurring because of weaknesses in software:

75.0%   Software POS
11.0%   Employee Workstation
9.0%   e-commerce
3.0%   Payment Processing
2.0%   ATM

The Report has the Top Five Areas where Merchants are Falling Short of Compliance as:

  1. Do you have written security policies and procedures that address the protection of paper with credit card numbers such as receipts and the physical security of your card processing device?
  2. Do you have a formal training program for all relevant employees that teaches them about security as it relates to credit cards, paper with credit card numbers on them and the devices that process credit card transactions?
  3. Do you or does anyone at your business log or record your customers’ credit card numbers in a computer, for example, in a back office computer, a laptop or financial application?
  4. Do you check your store or office for unauthorized wireless access points on at least a quarterly basis?
  5. Do you perform external (Internet) network vulnerability scans at least once per quarter?

Cost of non-compliance

Trustwave’s Report states “Fines have averaged $5,000 to $15,000 per card brand. We see forensic investigations start in the $10,000 to $15,000 range as well. Card re-issuance and fraud loss are dependent on the size of the breach. However, fines can vary greatly depending on a number of factors and can reach into the hundreds of thousands of dollars in some cases”.

Trustware www.trustwave.com

See the PCI Resources page for more details on PCI DSS

.

About these ads

, , , , , , , ,

  1. #1 by Matthew Murray on 17/09/2013 - 10:06 am

    Precisely what are some people’s experiences of employment advancement within
    the security industry? I might at some point like to turn out
    working in the police force and I’m pondering whether I could simply move directly into that or
    check the waters with something lower. Has anyone began in basic security and eventually ended up working with the authorities?

    Like

    • #2 by brianfpennington on 19/09/2013 - 10:36 pm

      Hi Matthew,

      I have known people go from Police uniform to IT Security to the private sector, from Police IT to private sector, from Private Sector to Police IT…!

      There are no hard an fast rules on the job but there are on the skills and knowledge required. I suggest you look at the right qualifications e.g. ISC2’s CISSP and some of the BCS courses.

      Other than that try and get a foot on the ladder and work your way up by being exposed to real life security needs.

      Good luck,

      Brian

      Like

  1. May 16, 2011 – Episode 213 «

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,508 other followers

%d bloggers like this: