Skip Navigation
2016 PCI Standard Security Report

2016 PCI Standard Security Report

The PCI standard continues to evolve to address the latest cybercriminal tactics for obtaining cardholder data. Building a strong security framework and implementing best practices can make it easier for you to integrate new PCI standards. Review our 2016 Trustwave Global Security Report for an enlightened glimpse into the secret world of cybercriminals and the entrepreneurial methods they are using to maximize profits from malicious attacks. View the Understanding PCI DSS 3.2 webinar slides to learn how the 2016 Trustwave Global Security Report validates recent PCI standards updates.

Compromises affectingcorporate and internal networksincreased to 40 percent in 2015,up from 18 percent in 2014

In the majority of incidents, attackers were after payment card data, split about evenlybetween card track (magnetic stripe) data (31 percent of incidents), which came mainlyfrom POS environments, and card-not-present (CNP) data (29 percent), which mostlycame from e-commerce transactions. In 10 percent of cases examined, the attackerssimply sought to destroy or damage information, rather than to collect it. Other attackerssought proprietary information (11 percent), financial credentials (7 percent), and personallyidentifiably information (PII) (4 percent). In some cases, multiple types of data wereexposed and targeted, meaning that the exposure of any one type of data does not reflectthe totality of the breach. For this particular statistic, we’ve reported the primary data typetargeted.

We classify the IT environments in which breaches take place into the following categories:

■ POS environments include the dedicated “cash registers” where businesses accept paymentfor in-person retail transactions. POS terminals process payment cards using magneticstripe scanners and smart card readers. Most run versions of the Windows Embedded orLinux operating systems customized for POS devices, and they are usually networked totransmit card and sale data to a centralized location and/or a financial institution.

■ E-commerce environments include web server infrastructures dedicated to websitesthat process payment information and/or personally identifiable information (PII).

■ Corporate and internal network environments comprise enterprise networks in general, and caninclude sensitive data that was originally collected in a POS or e-commerce environment.In keeping with their limited and specialized function, all of the incidents affecting POS environments targetedtrack data, the information encoded on a payment card’s magnetic stripe (but not on the smart cards used inchip-and-PIN transactions, which are significantly more secure). Most of the incidents affecting e-commerceenvironments targeted CNP data, while incidents involving corporate and internal networks targeted a range ofdifferent data types.