Visa issues new alert, identifies leading causes of data breaches

Hackers target vulnerable POS systems they suspect store card data, Visa U.S.A. recently warned, and, in conjunction with the U.S. Chamber of Commerce, stated the five leading causes of data breaches and specific prevention strategies for each.

The five leading causes of card-related data breaches

  1. Storage of mag stripe data – The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card’s mag stripe in violation of PCI. This can happen because a number of POS systems improperly store this data, and the merchant may not be aware of it.
  2. Missing or outdated security patches – In this scenario, hackers are able to penetrate merchants’ or service providers’ systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.
  3. Use of vendor supplied default settings and passwords – In many cases, merchants receive POS hardware or software from outside vendors, which install them using default settings and passwords that are often widely known to hackers and easy to guess.
  4. SQL injection – Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant’s Internet applications (e.g. shopping carts).
  5. Unnecessary and vulnerable services on servers – Vendors often ship servers with unnecessary services and applications enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack.

Source: Visa U.S.A. and the U.S. Chamber of Commerce

Visa is aware of credit and debit card account information compromises occurring from improperly stored magnetic stripe, or track, data after transaction authorizations are completed. Track data refers to the information encoded in Tracks 1 and 2 of the mag stripe.

The card Association has also observed compromises involving improperly stored card verification value 2 (CVV2) data, PINs and PIN blocks.

To guard against compromises, Visa advised merchants to implement the following strategies:

  • Ask their POS or payment software vendor (or reseller/integrator) to confirm their software version does not store mag stripe data, CVV2, PINs or encrypted PIN blocks. If it does, they should have these elements removed immediately.
  • Ask their payment software vendor for a list of files written by the application and a summary of the content to verify prohibited data is not stored.
  • Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.
  • Search for and expunge all historical prohibited data elements that may reside within their payment system infrastructure.
  • Confirm that all cardholder data storage is necessary and appropriate for the transaction type.
  • Verify that their POS software version has been validated as compliant with the Visa Payment Application Best Practices. A list of PABP-compliant applications is available at

Merchants are permitted to store only specific data elements from the mag stripe to support card acceptance, according to Visa. This data includes cardholder’s name, primary account number, expiration date and service code. However, merchants should store this data only if needed, and they must protect it as required by the Payment Card Industry (PCI) Data Security Standard.

Merchants can limit damage from a compromise by not storing track data, CVV2, PINs and PIN blocks. Merchants sometimes store track and other data in the mistaken belief they need it to process merchandise returns and transaction reversals. Acquirers should ensure their merchants have proper processes for each type of transaction, Visa stated.

Merchants who have made improvements to protect customer data

The most-effective weapon

The findings on data breaches came from a detailed review of the card security environment, including common fraud techniques, potential areas of weakness by card-accepting merchants and emerging threats.

“The single most effective weapon in the battle against today’s data theft is education,” said Sean Heather, Executive Director of the U.S. Chamber of Commerce, which, with Visa, conducted a survey of 600 small merchants in 12 target areas.

The survey of businesses accepting credit cards for payments revealed:

  • 64% accept PIN debit.
  • 42% do not worry about securing customer information.
  • 5% have had an incident of lost, hacked or stolen customer data.
  • 29% made improvements to protect customer information, including card data, within the previous three months; 63% did so within the previous year.
  • The top three improvements (14% each) included 1) securing information physically or by adding password-protection; 2) identifying account numbers by the last four digits only; and 3) shredding or eliminating storage of customer information.

An astounding 82% did not know what mag-stripe data is. More businesses (34%) spend a greater share of their resources preventing theft of products and cash than in securing customer data (20%). Some 69% handle data security in-house.

The Visa alert, along with answers to data security questions, can be found at the Chamber’s Web site: More information is also available at