With over 20 billion credit card purchase transactions in the US in 2009 and a highly complex system for processing those transactions, it’s not surprising that credit card information is a key target for thieves. Thieves have become adept at exploiting numerous vulnerabilities in the consumer-merchantacquirer payment processing chain to gain access to this information. Fortunately, there are cost-effective solutions that are available to help secure sensitive data and reduce compliance costs.
The credit card industry has been very successful in its efforts to convince consumers to use credit cards as their primary form of payment. In the United States alone, there are 176.8 million consumers who collectively hold 609.8 million credit cards. The average number of cards per cardholder was 3.5, as of year-end 2008. In 2009, there were 20.2 billion credit card purchase transactions in the United States worth $1.76 trillion.1 In the face of these staggering numbers, it’s easy to see why thieves are drawn to the credit card industry.
Unfortunately, thieves also have been successful at stealing payment data and turning it into profit—and our collective loss. In 2008, the Verizon Business RISK Team investigated data breaches in all industries in which 285 million total records were breached. Fully 80 percent of those records comprised payment card information, and a significant number of those records were used fraudulently.2
What makes this sensitive data vulnerable? Card data for a purchase transaction must flow through a payments processing chain in order to be processed. This processing chain, which includes consumers, merchants, acquirers/processors, card brands and issuing banks, links many technologies including communication lines, databases and sophisticated applications. Data thieves have become quite sophisticated in their knowledge of how these technologies work, enabling them to exploit points of vulnerability in the payments processing chain.
The payment card industry (PCI) is fighting back. One starting point is the PCI Data Security Standard (PCI DSS), which provides guidelines to merchants about how to secure cardholder data. While PCI DSS has helped, it isn’t enough; hundreds of millions of data records have still been breached in recent years.
Consumers, as well as companies in the processing chain, have a responsibility to reduce the risk of lost, stolen or otherwise exposed sensitive cardholder data. This paper looks at where security fits in the processing chain, especially the most vulnerable points where enhanced security would benefit the entire ecosystem. We discuss several cost-effective technology-based solutions that are readily available today to help organizations to secure sensitive data and improve their PCI DSS compliance posture.
Download the whitepaper here.