The number of reported data security breaches continues to increase while becoming more diverse and sophisticated.  

The three basic types of data security breaches that can lead to a data compromise are described in the tabs below.

  • Physical
  • Electronic
  • Skimming

A physical breach involves the physical theft of documents or equipment containing cardholder account data such as cardholder receipts, files, PCs, Point-of-Sale terminals. 
Follow these steps to help protect your business from a physical breach: 
Track technology inventory

  • Keep track of what you own and who has possession of the physical technology: 
    •  Laptop and desktop computers 
    •  Servers 
    •  Any other technologies that may contain cardholder data such as Point-of-Sale equipment (stand-alone-dial-up terminals) 
    • Any other physical asset that may contain cardholder data: Hardcopy faxes Credit card receipts

Secure technology

  • Once you have recorded the technology your organization owns and who has possession, secure it:
    • Engrave or affix asset tags to laptops and any Point-of-Sale equipment used to process credit cards.
    • Lock desktops to desks.
    • Institute a policy requiring laptops to be locked away at the end of the business day.
    • Ensure your computer server/data center is in a locked room
    • Use lock boxes, safes or locking file cabinets to store sensitive hardcopy documents, especially credit card receipts.
Monitor physical access
  • Monitor and restrict physical access where your technology is stored and used to process cardholder data:
    • Computer rooms with servers involved in the credit card acceptance chain
    • Credit card receipt storage rooms
    • Mail order processing areas
Best practices include:
  • Monitor employees who use Point-of-Sale terminals and convey clearly-defined restrictions to them
  • Install cameras at computer room entrances and exits as well as check-out lanes where Point-of-Sale terminals are positioned.  Define procedures to monitor the cameras and keep recorded footage for at least three months.
  • Require ID badges for access to sensitive data centers
  • Maintain a log of visitors to sensitive facility areas (video recordings of who accessed these areas can help determine cause and liability in a data security incident)
Educate employees and enforce security policies
  • The PCI DSS requires organizations to educate employees about security policies and practices, which could include:
    • Defined procedures and restrictions on access and usage of technology involved in the processing of credit cards
    • Encryption used during transmission of cardholder data across open public networks
    • Destruction of media containing cardholder or sensitive data
    • Restricted versus non-restricted areas
    • Distinguishing visitors from employees
    • Ensuring all credit card transactions processed through Point-of-Sale devices are settled and purged from device on a daily basis
A physical breach can also involve terminal scams. This involves individuals attempting to tamper with merchant Point-of-Sale terminals in order to gain access to card data contained in the device or to perpetrate fraud using the device.

Merchants and branch locations have reported attempted terminal scams involving phone calls received by merchants in which the caller attempts to reprogram client terminals.

In one instance, a caller claimed to be from a company called Payment System. The caller said he needed to adjust the merchant’s credit card machine over the phone. When asked, the hacker gave a name and non-working phone number. The caller also wanted to talk with the owner of the company, but quickly hung up when questioned.

In another scenario a caller who claims to be from the wholesale division of Visa or MasterCard, says the merchant now qualifies for a wholesale rate versus the retail rate currently being assessed. The caller makes an appointment to meet with the merchant (where the terminal is located) to discuss and adjust the rates.

If you are contacted by someone using these or similar methods, do not allow anyone to modify your terminals until you verify the request.

Call the Bank of America Merchant Services customer service number on your statement to report the incident and verify the request, whether it is by phone or in person, pertaining to your terminals. You will be asked to provide:
  • Terminal type 
  • Payment application 
  • PIN-pad device, if applicable 
  • As much information as you have about the caller, such as the caller’s name and telephone number

An electronic breach is the un-authorized access or deliberate attack on a system or network environment (at a business or its third party processor) where cardholder data is processed, stored or transmitted.  This can be the result of acquiring access, via Web servers or Web sites, to a system’s vulnerabilities through application-level attacks.

Examples of system vulnerabilities: 

  • Unsecured Remote Access – both vendor and employee, remote access should only be available on demand 
  • Unsecure network configurations – poorly configured or lack of firewalls and poor monitoring of access
  • Lack of proper password management – using weak passwords that are easily detected by hackers or vendor default passwords
  • Improper storage of allowed cardholder data and storage of prohibited cardholder data (full track data and CVV2/CVS)Encryption mismanagement or lack of encryption when transmitting cardholder data
  • Lack of or expired anti-virus, anti-spyware and anti-malware software
  • Lack of proper access restrictions to cardholder data systems
Methods used in electronic breaches:

A packet sniffer is an application that intercepts and logs traffic passing over a digital network or part of a network.  This is a standard tool that has been used in network troubleshooting and analysis for many years.  Unfortunately this tool is increasingly being used by fraudsters to collect card data in transit inside merchants’ networks.

How does it work?
  • Full magnetic stripe credit/debit card data is read and recorded in transit in the authorization process
  • Credit/debit card data does not have to be stored within merchant’s system
  • Utilizes a variety of legitimate Windows® file names
  • Difficult to detect by virus security detectors
  • Can be removed at any time by fraudster
Structured Query Language (SQL) injection is a technique used to exploit e-commerce Web sites and Web-based applications that manage card accounts (e.g., PIN updates, monetary additions, account holder updates).

How does it work?
  • Malicious code is inserted into user-input variables that are connected to or paired with SQL commands and executed
  • SQL injections assist hackers in infiltrating a company’s website and ultimately their core processing network where no sensitive data exits, then they navigate to systems where the card data is stored or transmitted
Among the most dangerous of so-called “spyware,” key logging interjects programs into a merchant’s network systems using malware which is then used to count and record data entry key strokes.  Some more sophisticated programs can also capture screenshots containing data even though no data is typed.  This can allow fraudsters to obtain direct access to card data or to the system passwords that lead to it.  The card data obtained is then used in fraudulent transactions.

How does it work?
  • Simple programs can be written in a couple of days; sophisticated ones take longer
  • Capture and record everything the user is doing:  keystrokes, mouse clicks, sites visited, even files that are opened without data being typed
  • Difficult to detect by virus security detectors
This type of malware is becoming more and more prevalent in data compromise events as the method used in obtaining credit card information.  Both malware applications are used in conjunction with each other to extract full magnetic stripe data from volatile memory, otherwise known as “RAM”.

How does it work?
  • The memory dumping malware continuously copies payment process memory to an output file
  • The memory parsing malware then schedules memory dumps and parses output file for full track data
These steps can help protect your business against the compromise of systems and network environments that contain or transmit cardholder data:
  • Never store prohibited cardholder data such as track data or card security codes on payment applications or in credit card processing environments.
  • Use only secure Web and database servers.  Ensure that all systems, including Web and database servers, are routinely updated with the current vendor security patches.
  • Utilize strong, up-to-date anti-virus, anti-spyware and anti-malware software
  • Avoid “easy to guess” or system default passwords.  Utilize strong administrative password management software so only authorized persons can access them.
  • Validate your payment applications’ compliance with the Payment Application Data Security Standard (PA-DSS) or undergo a Payment Card Industry Data Security Standard (PCI DSS) code review. 
  • Segment system and network environments where cardholder data is processed, stored or transmitted away from public networks such as the Internet. 
  • Implement firewalls where necessary. Be sure that firewalls are properly configured to only allow inbound and outbound traffic that is necessary to day-to-day business.
  • Secure remote access applications and enable two-factor authentication as required by the PCI DSS.  Remote access to systems should only be available on-demand.
  • Schedule network scans for vulnerabilities and take immediate action to remediate the weakness when a vulnerability is identified.
Other recommendations:
  • Establish standard company procedures for systems log management to include:
  • Centralized logging
  • Daily review of logs
  • Protection of logs from un-authorized access
  • Keep a history of logs for at least the length of time required by the PCI DSS
  • Review and amend vendor contracts to include PCI DSS fundamental security practices.  It is recommended that merchants only use third party providers that understand and operate in compliance with the PCI DSS

Skimming involves the capture and recording of card magnetic stripe data using an external device which is sometimes installed on a merchant’s Point of Sale System (POS). Skimming can also involve a dishonest employee utilizing an external device to collect the card magnetic stripe data. The data is then used to create counterfeit credit and debit cards.

How is it done? 
  • Restaurants and bars are common scenes for skimming because the perpetrator has physical possession of the victim’s credit card.  In this situation, the perpetrator often uses a device so small it can fit in the palm of your hand to read and store data encoded in the magnetic stripe on the back of the victim’s credit card. The perpetrator may also use a small keypad device to record the three or four-digit security code printed in the signature box.  
  • Skimming can also involve PIN-debit transactions. In some cases, the perpetrator places a device over the card slot on an ATM to read the magnetic stripe as cardholders pass their cards through it. These devices are often used in conjunction with pinhole cameras to record the cardholder’s unique personal identification number (PIN).
  • Skimming may involve tampering with vulnerable Point-of-Sale terminals and PIN-pad equipment. Typically, a perpetrator inserts a device into the terminal or PIN-pad at the merchant location, then uses it to collect credit card and PIN data. 
  • The petroleum industry experiences a high occurrence of skimming.  Perpetrators take advantage of widespread pay-at-the-pump devices, often targeting high-volume locations to access the pump’s card reader technology without detection. In a matter of minutes, a skimmer attaches a device that records data encoded on the card’s magnetic stripe. Pinhole cameras are sometimes used to record the cardholder’s PIN while the device is capturing card data.
How to minimize potential for skimming
  • Closely monitor handling of cards when employees have frequent physical possession of credit cards out of view of the cardholder.
  • Closely monitor activity on Point-of-Sale terminals and PIN-pad devices. 
  • Regularly check equipment for attached skimming devices or evidence of tampering.
  • Ensure you are not using a known vulnerable Point-of-Sale terminal or PIN-pad device by contacting your credit card processing service provider
  • Petroleum businesses should have procedures to monitor activity at outdoor Point-of-Sale pumps. This must include opening devices regularly to check for tampering or installed skimming devices.

Common Vulnerabilities

Common vulnerabilities contributing to a breach

Read Now

Protect Against Phishing

How businesses can protect themselves against phishing attacks

Read Now

Report Data Security Breach

How to report a data security breach

Read Now