One of the most common ways used to steal card data is through remote access to servers that house data. Another common approach is called "skimming", a practice where an electronic reader is attached to a Point of Sale machine to steal cardholder information like the credit card number, name and CVV code. Employees have also been known to write down this information. In e-commerce, criminals are using SQL injections, Cross Site Scripting, and buffer overflow attacks.
PCI Security Standards Council is a driving force behind pushing the effort to secure all credit card data, and was founded Visa, MasterCard, Amex, Discover and JCB. They have mandated that businesses meet 12 security requirements in order to protect card holder data. Complying with PCI standards helps protect merchants from PCI related fines which can be as high as $250,000 per incident if they are compliant at the time of breach.
Should a merchant be breached without complying to PCI standards, they can face the above mentioned fines for non compliance. Some card brands threaten to fine merchant up to $25,000 per month until they reach compliance.
Becoming compliant can bea costly, time consuming and complex effort. Large merchants can spend upwards of $250,000 annually to meet the mandated requirements.
A few things that can be done right away is making sure prohibited information is being purged after authorization. This information includes CVV, CVN codes. If the business needs to store credit card numbers or expiry dates, it needs to be secured wither internally or stored remotely. Credit card tokenization, a remote storage technology, allows for a unique customer ID to be created for each record which is then used to remotely initiate transactions or change customer files without ever handling any sensitive credit card data.
Other simple ways to better protect from breaches include tightening remote access controls, changing wireless network security from WEP to WPA, properly configuring firewalls, changing vendor default passwords, and using encryption to transmit all sensitive data.
Regardless of a business's current situation, the cost of a breach can be enormous. A billion dollar retailer will be able to weather the storm, but a smaller organization may not have the same financial depth, which means the consequences may be much more severe. So whether or not the required resources are available to pursue PCI Compliance and proper data storage, it might not be a bad idea to make it a priority in your organization.