This summer, Verizon released the 2023 Data Breach Investigation Report. They analyzed 16,312 security incidents – 5,199 of which were confirmed data breaches – that took place between November 2021 and October 2022. This represented more incidents than the previous year (23,000 incidents) but nearly the same number (5,200) of breaches.
In terms of payment card security, what did we learn?
“74 percent of all breaches include the human element. This includes error, privilege misuse, use of stolen credentials, or social engineering.”
The use of stolen credentials was – by far – the most common action involved in these incidents, at more than 40 percent. Others, in order of frequency, included ransomware, phishing, pretexting, and vulnerability exploits.
“83 percent of the breaches involved external actors.”
As in years past, most breaches involved people who were not directly employed by the business that was breached. Criminal groups, independent hackers, former employees, and geopolitical groups were responsible for most security incidents.
“The primary motivation for attacks continues to be financially driven, at 95 percent of breaches.”
Although far less common, espionage, ideology, and grudges were also identified as motivating factors.
Servers were the most commonly affected assets, involved in more than 80 percent of incidents.
People, user devices, networks, and media (thumb drivers and/or printed documents) were also targeted, if less frequently.
Virtual currencies are an emerging concern.
As the payments landscape changes, more people are embracing cryptocurrencies such as Bitcoin and Ethereum. However, as Verizon points out: “Having assets in virtual currency is a risky endeavor at best”, with exploitation and stolen credential attacks putting these funds at risk.
Companies of all industries are viable targets.
Businesses in nearly every vertical – from manufacturing and real estate to healthcare and agriculture – were represented.
Similarly, both small businesses and large enterprises were targeted.
Small businesses (those with fewer than 1,000 employees) accounted for 699 security incidents, while large businesses (those with more than 1,000 employees) accounted for 496.
Payment card data was a surprisingly common target in the Accommodation and Food Services industry.
One might imagine that hackers would primarily focus on the retail industry when targeting credit card data. However, the 2023 DBIR found that payment card data was more frequently targeted in the Accommodation and Food Services industry, at 41 percent of incidents (as opposed to only 37 percent in retail).
Companies have many options for protecting their sensitive data.
While data breaches can’t be prevented with 100 percent certainty, they’re far from a “cost of doing business.” Companies have a variety of security measures at their disposal, including a prioritized set of best practices from the Center for Internet Security (CIS).
Some of the most commonly cited recommendations?
- Implement and manage a firewall on servers
- Implement and manage a firewall on end-user devices
- Deploy and maintain anti-malware software
- Establish an access-granting process
- Establish an access-revoking process
- Require MFA for remote network access
You can see all of the CIS controls here.
What Does the 2023 Verizon Data Breach Report Mean for You as a Merchant?
The good news: none of these security trends should be cause for alarm. If you’re already aware of the importance of strong payment card security and taking steps to keep your business systems secure (given that you’re reading this article, that seems to be a likely assumption), you’re already ahead of the game. Even if you’re a smaller organization without a designated information security department, making sure your IT team takes the time to understand your PCI compliance requirements (such as completing your annual SAQ) is an important step in the right direction.
Of course, passing some of the burden to a PCI-certified service provider can also strengthen your approach to payment card security while making life easier for your team.
At Curbstone, we’ve been in the payments industry for more than 20 years. We’ve seen countless security trends come and go – but at the end of the day, the fundamentals have always remained the same. Keep as little data on your systems as possible; consistently test your security controls; train your employees to be mindful of common threats.
If you’d like to make sure your organization is processing payment card data in the most secure, cost-effective way possible, we’d be happy to help. Take a look at the various ways our technologies can help you secure your payments or contact us to start a conversation.