Press Release

Two Leading Cybersecurity Organizations Issue Joint Bulletin on Threat of Account Testing Attacks

PCI Security Standards Council (PCI SSC) and the National Cyber-Forensics and Training Alliance (NCFTA) Join Forces to Highlight Increasing Threat

Washington, D.C., October 21, 2020 – Today during the Europe Community Meeting the PCI Security Standards Council and the National Cyber-Forensics and Training Alliance (NCFTA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention. The full bulletin can be viewed here.

How do these attacks work?

There are different methods that criminals can use to undertake account testing, and each has a different impact on merchants and other entities in the payment lifecycle. The cardholder data in these types of attacks are obtained through two primary techniques – a Point of Interaction (POI) malware or system intrusion data breach within the cardholder data environment or by account number enumeration for fraudulent purposes.  An overwhelming majority of attacks today utilize automated software to simply enable account testing to be undertaken on a massive scale in a very short timeframe.

The assumption for all of these attacks is that the criminal has obtained a very large number of Primary Account Numbers, along with Expiry dates and the Card Verification Code or Value. Where these types of Sensitive Authentication Data (SAD) are not known, then certain account tests can be undertaken to identify and validate this data.

Who is most at risk?

Account testing attacks pose risks to issuers, acquirers and merchants, and the threat exists across many acceptance channels.  The consumer also could become the victim of financial/identity theft as a result of a successful attack.  Everyone involved in the payment chain is potentially a source of exposure and it is the responsibility of all involved to be vigilant and, on the look-out for this type of attack. Good payment security practices need to be a priority for the merchant, the payment processors as well as issuers and the acquirers.  Defeating this ever-growing attack requires a team effort from all involved parties.

What is some DETECTION red flags?

  • Account numbers being used do not exist, e.g., a card number from an un-issued BIN range.
  • Account numbers being used repeatedly with variations in the security features (expiration date, CVV2/CID, cardholder’s postal code).
  • Increase in account numbers attempted within a BIN range, particularly when used at the same merchant for small amounts. Testing may occur with sequential account numbers, or certain digits within the account number may be incremented in regular intervals.
  • Increase in AVS checks (e.g. Condition Code)
  • An increase in the percent of declines for a merchant or BIN range. Authorization testing will generate higher numbers of declines as fraudsters attempt to find the correct combination of account number, expiration date and security codes (e.g. CVV2/CID).
  • An increase in the percent of approved authorizations that do not settle for a merchant.
  • An increase in transaction velocity / volume at a new merchant or merchant with low settlement rates.
  • A rapid increase in transaction velocity / volume at a merchant that has been inactive.
  • An increase in the number of different names being submitted on transactions for a merchant when historically that merchant has submitted only a few legitimate names

What is some PREVENTION best practices?

On-the record quotes from Troy Leach, Senior Vice President, Engagement Officer:

“We have heard from many of our stakeholders in the payment community that account testing attacks are a growing trend for many businesses, large and small.” said Troy Leach, Senior Vice President, Engagement Officer of the PCI Security Standards Council.  “We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the NCFTA who’s industry battle these threats daily.”

“There are ways to prevent these difficult-to-detect attacks however,” said Leach.  “Adherence to the PCI Data Security Standard (DSS), the PA-DSS and the PTS along with regular testing and communication up and down the payment chain is the best approach to detecting and preventing account testing attacks.”

“Following PCI SSC standards and guidance such as regular review of software and closely monitoring changes in the environment, can help defend against these attacks.”

“Now more than ever, organizations need to make cybersecurity an everyday priority,” “These attacks can hit a business both large and small.  Everyone needs to understand they are a target and they need to have a plan to protect their data.”

On-the-record quotes from Matt LaVigna, President/CEO for the National Cyber Forensics & Training Alliance (NCFTA)

“These attack techniques are of increasing significance to the merchant and financial services industries.”

“It is important that payment security stakeholders work together to educate themselves about account testing attacks and of the security controls necessary to detect and defeat them.”

“We must work together through education, training, and collaboration to effectively counter the significant growth and evolution of the account testing attacks.”

“The bulletin we are jointly issuing today should be an alarm to those who care about payment security to enhance their awareness of and defense against these techniques.  No one should assume they are immune from an account testing attack.”

About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.

The National Cyber-Forensics and Training Alliance is a nonprofit corporation founded in 2002, focused on identifying, mitigating and disrupting cybercrime threats globally.  The NCFTA was created by industry, academia and law enforcement for the sole purpose of establishing a neutral, trusted environment that enables two-way information sharing with the ultimate goal to identify, mitigate, disrupt and neutralize cyber threats.