Despite the risk of severe penalties from credit card transaction networks, only 21 percent of merchants passed a payment security audit conducted by experts from Verizon. The communications company uses both voice and data lines to move data from retailers to bank servers, so it regularly measures how well its clients comply with industry standard security measures.
The latest version of the Verizon Payment Card Industry Compliance Report suggests that most retailers can do much more to prevent credit card numbers from falling into the hands of fraudsters and identity thieves.
Verizon's report graded organizations on each of the 12 requirements that make up the Payment Card Industry Data Security Standard (PCI DSS). Researchers found that merchants faced the toughest challenges with:
- protecting stored cardholder expiration dates
- tracking and monitoring access to saved credit card data
- regularly testing systems and processes
- maintaining security policies
Verizon's researchers found that many merchants felt overconfident about their policies and procedures, often ignoring threats with the highest risk. Small companies often assume their size makes them less likely targets for identity thieves. However, two-thirds of corporate data attacks occurred at businesses with fewer than 100 employees. In its annual report, Visa officials stated that 95 percent of credit card breaches against its cardholders happen at small businesses.
How merchants can enhance security
Credit card industry analysts at Business Owners Liability Team, a corporate insurance provider, corroborated many of Verizon's findings. For example, BOLT researchers report that merchants can significantly enhance their security by:
- requiring secure passwords
- installing Internet firewalls to detect intrusions
- storing credit card data on fixed servers instead of on laptops
- training employees not to respond to social engineering attempts
- restricting employee access to customer information
BOLT and Verizon both note that companies rarely have the internal expertise to fully detect potential threats. Independent security audits based on the PCI DSS can help owners and managers guarantee the security of customer credit card details, preventing costly chargebacks and lawsuits.