Trustwave have released a supplement to their 2011 Global Security Report on Payment Card Trends and Risks for Small Merchants report.
According to the report, Merchants fail to achieve PCI DSS compliance in several areas with the Top 6 being:
|99.2%||Track / Monitor Network Access|
|98.4%||Regularly Test Security|
|97.5%||Maintain a Firewall|
|95.1%||Maintain Internal Security Policies|
|92.6%||Assign Unique User Ids|
|90.9%||Develop Secure Systems and Applications|
The report states, “approximately 90% of compromises came from the Level 4 merchant space in 2010.” The PCI DSS categories a Level 4 merchants as a businesses that process less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.
The top 5 Industry Sectors that experience a PCI DSS compromise are:
|57.0%||Food and Beverage|
Breaches occur in 5 specific areas with the majority occurring because of weaknesses in software:
The Report has the Top Five Areas where Merchants are Falling Short of Compliance as:
- Do you have written security policies and procedures that address the protection of paper with credit card numbers such as receipts and the physical security of your card processing device?
- Do you have a formal training program for all relevant employees that teaches them about security as it relates to credit cards, paper with credit card numbers on them and the devices that process credit card transactions?
- Do you or does anyone at your business log or record your customers’ credit card numbers in a computer, for example, in a back office computer, a laptop or financial application?
- Do you check your store or office for unauthorized wireless access points on at least a quarterly basis?
- Do you perform external (Internet) network vulnerability scans at least once per quarter?
Cost of non-compliance
Trustwave’s Report states “Fines have averaged $5,000 to $15,000 per card brand. We see forensic investigations start in the $10,000 to $15,000 range as well. Card re-issuance and fraud loss are dependent on the size of the breach. However, fines can vary greatly depending on a number of factors and can reach into the hundreds of thousands of dollars in some cases”.
See the PCI Resources page for more details on PCI DSS