PCI Security Standards Council®

Return to Newsroom


Two Leading Cybersecurity Organizations Issue Joint Bulletin on Threat of Account Testing Attacks

PCI Security Standards Council (PCI SSC) and the National Cyber-Forensics and Training Alliance (NCFTA) Join Forces to Highlight Increasing Threat

Washington, D.C., October 21, 2020 – Today during the Europe Community Meeting the PCI Security Standards Council and the National Cyber-Forensics and Training Alliance (NCFTA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention. The full bulletin can be viewed here.

How do these attacks work?

There are different methods that criminals can use to undertake account testing, and each has a different impact on merchants and other entities in the payment lifecycle. The cardholder data in these types of attacks are obtained through two primary techniques – a Point of Interaction (POI) malware or system intrusion data breach within the cardholder data environment or by account number enumeration for fraudulent purposes.  An overwhelming majority of attacks today utilize automated software to simply enable account testing to be undertaken on a massive scale in a very short timeframe. 

The assumption for all of these attacks is that the criminal has obtained a very large number of Primary Account Numbers, along with Expiry dates and the Card Verification Code or Value. Where these types of Sensitive Authentication Data (SAD) are not known, then certain account tests can be undertaken to identify and validate this data.

Who is most at risk?

Account testing attacks pose risks to issuers, acquirers and merchants, and the threat exists across many acceptance channels.  The consumer also could become the victim of financial/identity theft as a result of a successful attack.  Everyone involved in the payment chain is potentially a source of exposure and it is the responsibility of all involved to be vigilant and, on the look-out for this type of attack. Good payment security practices need to be a priority for the merchant, the payment processors as well as issuers and the acquirers.  Defeating this ever-growing attack requires a team effort from all involved parties.  

What is some DETECTION red flags?

What is some PREVENTION best practices?

On-the record quotes from Troy Leach, Senior Vice President, Engagement Officer:

“We have heard from many of our stakeholders in the payment community that account testing attacks are a growing trend for many businesses, large and small.” said Troy Leach, Senior Vice President, Engagement Officer of the PCI Security Standards Council.  “We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the NCFTA who’s industry battle these threats daily.” 

“There are ways to prevent these difficult-to-detect attacks however,” said Leach.  “Adherence to the PCI Data Security Standard (DSS), the PA-DSS and the PTS along with regular testing and communication up and down the payment chain is the best approach to detecting and preventing account testing attacks.”

“Following PCI SSC standards and guidance such as regular review of software and closely monitoring changes in the environment, can help defend against these attacks.”

“Now more than ever, organizations need to make cybersecurity an everyday priority,” “These attacks can hit a business both large and small.  Everyone needs to understand they are a target and they need to have a plan to protect their data.” 

On-the-record quotes from Matt LaVigna, President/CEO for the National Cyber Forensics & Training Alliance (NCFTA)

“These attack techniques are of increasing significance to the merchant and financial services industries.” 

“It is important that payment security stakeholders work together to educate themselves about account testing attacks and of the security controls necessary to detect and defeat them.” 

“We must work together through education, training, and collaboration to effectively counter the significant growth and evolution of the account testing attacks.”

“The bulletin we are jointly issuing today should be an alarm to those who care about payment security to enhance their awareness of and defense against these techniques.  No one should assume they are immune from an account testing attack.”

About the PCI Security Standards Council 
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.

The National Cyber-Forensics and Training Alliance is a nonprofit corporation founded in 2002, focused on identifying, mitigating and disrupting cybercrime threats globally.  The NCFTA was created by industry, academia and law enforcement for the sole purpose of establishing a neutral, trusted environment that enables two-way information sharing with the ultimate goal to identify, mitigate, disrupt and neutralize cyber threats.  https://www.ncfta.net/


Our website uses both essential and non-essential cookies (further described in our Privacy Policy) to analyze use of our products and services. By clicking “ACCEPT” below, you are agreeing to our use of non-essential cookies to provide third parties with information about your usage and activities. If you click “DECLINE” below, we will continue to use essential cookies for the operation of the website.

Powered by Translations.com GlobalLink OneLink SoftwarePowered By OneLink