Through October 29, 2008, Trustwave’s forensics practice has investigated 443 cases of cardholder data compromise. The information contained within this article is the culmination of almost seven years of card compromise investigations.

Key Developments in 2008: The Theft of Cardholder Data in Transit

In 2008, the most notable development in payment card compromises is the theft of cardholder data at rest (stationary on a system component) to its theft in transit (moving through a system). Trustwave experts have noted that attackers, are stealing data in real-time by eavesdropping on a certain device and stealing the data as it passes to or through a particular system rather than stealing data that is stored on that system.

One example of this is an attackers’ use of unauthorized applications—referred to as malware—that steals cardholder data from a computer’s Random Access Memory. What’s perhaps most unsettling about the trend is that a merchant can use a payment application that complies with the Payment Application Data Security Standard (PA-DSS) or Visa’s Payment Application Best Practices (PABP), but still fall victim to a compromise.

Merchants and service providers must recognize that payment card security extends beyond just using PABP or PA-DSS validated payment applications and eliminating the storage of prohibited cardholder data. Any entity involved in the processing, storage or transmission of payment card data must ensure that they comply with the Payment Card Industry Data Security Standard (PCI DSS). In the cases of track data parsing from RAM that Trustwave has examined, the intruder gained the access necessary to execute the attack because the victim organization did not comply with the PCI DSS in full.

General Payment Card Compromise Statistics

The theft of cardholder data in transit is only beginning to impact Trustwave’s compromise statistics. However, our experts expect the occurrence of these types of breaches to increase.

Below are more general statistics that, for the most part, have remained constant over the past few years.

Payment Card Acceptance Channel

Whether the compromised merchant accepts payment cards over the Internet, in person or over the telephone or through the mail; we see the greatest variation between North America and EMEA (Europe, the Middle East and Africa) cases. In North America, the majority of compromises investigated by Trustwave were of brick-and-mortar merchants. In EMEA, the majority of compromises investigated were of e-commerce merchants. This fact is the reason many of the statistics from North America and EMEA differ as they do.

Industry

Businesses involved in the food service and retail segments make up the majority of compromises investigated by Trustwave, with approximately half of the compromises occurring at food service locations. In North America, the majority of compromises occurred at food service establishments. In the EMEA region, the majority of Trustwave investigations were of payment card breaches at merchants within the retail sector.

Cases by Responsibility for Payment System Administration

Many North American merchants investigated by Trustwave use outdated payment systems or do not configure them securely. Misconfigured payment applications will store or insecurely transmit cardholder data that can be stolen by an attacker. Many times a third party configured those payment applications and so negligence on the part of the third party more often contributes to the payment card compromises investigated in North America. Because the use of outmoded payment applications is not as prevalent in EMEA as in North America, neither are the problems caused by third-party installation, configuration or maintenance of such payment applications.
Common PCI DSS Failures of Compromised Merchants

For the most part, while the frequency of failure may be less, the PCI DSS requirements that compromised merchants fail to meet correspond in EMEA and North America. The PCI DSS requirements that compromised merchants failed to fulfill include:

• Requirement 3: Protect stored cardholder data
• Requirement 6: Develop and maintain secure systems and applications
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 12: Maintain a policy that addresses information security for employees and contractors

Cases by Technical Cause

Trustwave finds that five technical causes contribute to the majority of payment card compromises across both North America and EMEA:

• SQL Injection: Exploiting flaws in a Web application to force a back-end database to disclose information stored in the database (such as cardholder data)
• Remote Access: Accessing remote control software used to operate a computer from remote locations
• Backdoor/Trojan: Installing malware onto a system to gain access to a network
• Perimeter Security Issue: Lack of or insecurely configured perimeter security
• Weak Passwords: Guessing authentication credentials (username and password)

The majority of compromises investigated by Trustwave in North America occurred due to insecure payment applications that store prohibited data; however, as previously noted, the theft of cardholder data in transit is on the rise.

SQL injection is the number one cause of compromise cases investigated by Trustwave in EMEA. Again this can be attributed to the fact that more e-commerce merchants are compromised in EMEA. An e-commerce merchant must have a public-facing Web site in order conduct business and so leaves a section of their system open for attack.

Conclusion and Merchant Action Items

The key take-away from this analysis of card compromise cases should be that merchants must comply with the PCI DSS. Plenty of data security pundits continue to disparage the standard. However, the PCI DSS provides a comprehensive security standard that if followed, prevents the theft of cardholder data. To protect themselves and their customers, merchants must take a holistic approach to data security—an approach such as that prescribed and explained in the PCI DSS.

---

Related articles:

Report: Still problems with PCI compliance Cubic achieves PCI-DSS certification, provides transit operators with one less step PCI on campus