Most Merchants Do Not Store Card-Security Code, Security Firm Says

IMGCAP(1)]

The majority of U.S. and Canadian merchants do not store credit and debit card security codes, investigators with Trustwave, a technology-security company, note in a recent report. The Chicago-based company's report includes investigations through October. In the United States and Canada, 87% of the merchants Trustwave investigated did not store the card-security code, a three- or four-digit code printed on the card, compared with 65% of the cases in the Europe, Middle East and Africa region, the report said. The card brands use the code to help detect counterfeit cards in card-not-present transactions. Trustwave cautioned that the data are heavily weighted to U.S. and Canadian merchants, which tend to include more card-present transaction breaches. Card-present transactions do not require the use of the card-security code. To date globally, brick-and-mortar stores see the largest share of breaches, with 68% of investigations coming out of these locations, according to the report. E-commerce merchants account for 31% of breaches, with 1% of breaches occurring with mail-order and telephone-order merchants. The findings are not much different from those in a March report of 350 Trustwave investigations that reported that 70% breaches were at card-present merchants and 30% were at card-not-present merchants. In the October report, 74% of breaches in the United States and Canada were at card-present merchants, with 25% at e-commerce merchants and 1% at mail-order/telephone-order merchants. Within the Europe, Middle East and Africa region, the statistics are reversed, with 72% of breaches happening at e-commerce merchants and 28% at physical store locations, Trustwave says.

For reprint and licensing requests for this article, click here.
Credit Cards
MORE FROM AMERICAN BANKER