Over 60 percent of malicious traffic targets retailers ahead of PCI DSS 4.0 deadline

As we approach the 31st March deadline for compliance with the new PCI DSS 4.0 payment security standard, new data from Cequence Security shows automated fraud is increasing with retailers facing 66.5 percent of all malicious traffic.

Using data from real transactions and attack data from Cequence's Unified API Protection (UAP) platform, the report highlights the growing attack surface cybercriminals exploit in payment infrastructure, loyalty programs, and product pricing systems.

More than 300 million account takeover (ATO) attempts were blocked by the platform in the past year, illustrating the growing scale of credential stuffing attacks. 822 million attempts at produc search and pricing abuse were blocked as 89 percent of non-ATO bot-driven attacks focused on scraping product pricing.

Loyalty schemes have come under attack too, over 22 million fraudulent attempts were blocked as attackers exploited loyalty programs, treating reward points like cash. These accounts are frequently targeted due to easier liquidation than stolen credit cards, often going undetected until significant losses occur.

Credit cards are still a target though with over 69 million attempts blocked as cybercriminals mass-tested stolen credit card details through low-risk transactions before making larger fraudulent purchases, fueling the circulation of compromised payment data.

"PCI DSS 4.0 is pushing businesses to modernize security, but many are still scrambling to catch up, giving attackers the perfect opportunity to strike," says Randolph Barr, CISO at Cequence. "Account takeovers remain the biggest threat, but we're also seeing a wave of new, highly sophisticated attacks exploiting every stage of the digital payment process. The common thread? APIs. Attackers are sidestepping traditional security defenses and going straight for API endpoints that handle cardholder data -- one of the most critical yet overlooked vulnerabilities. Businesses that focus only on compliance risk falling behind."

You can read more on the Cequence blog and there's an infographic summary below.

Image credit: violetkaipa/depositphotos.com