Cequence Security reports retail bears 66.5% of malicious traffic as PCI DSS 4.0 deadline approaches

Cequence’s CQ Prime threat research reveals 300M account takeover attempts, with retail facing the brunt of malicious traffic.

Cequence Security has reported a marked increase in cyber threats as businesses rush to meet the March 31 Payment Card Industry Data Security Standard (PCI DSS) 4.0 compliance deadline. The newly released findings from Cequence's CQ Prime threat research team highlight serious risks of API-driven fraud, credential stuffing, and abuse of payment systems, particularly impacting the retail and financial services sectors.

The report, leveraging data from billions of actual transactions and attacks where Cequence's Unified Application Programming Interface (API) Protection (UAP) platform was applied, underscores the expansive attack surface available to cybercriminals targeting payment infrastructure, loyalty programs, and product pricing systems.

Among the main findings was the scale of credential attacks, revealing over 300 million account takeover (ATO) attempts were blocked last year alone, which demonstrates the intensifying assault due to credential stuffing. Retail verticals were notably impacted, facing over 66% of all malicious traffic, largely attributable to high transaction volumes that expose gaps in security defenses.

Cequence also identified a vast number of non-ATO bot-driven attacks targeting product pricing, with 822 million attempts blocked. Attackers utilized scrapers to manipulate algorithms and undercut legitimate pricing. Furthermore, loyalty program exploitation occurred, with 22 million fraudulent actions thwarted, highlighting their vulnerability as reward points are commonly liquidated more easily than stolen credit cards.

In a statement, Randolph Barr, CISO at Cequence, remarked, “Account takeovers remain the biggest threat, but we’re also seeing a wave of new, highly sophisticated attacks exploiting every stage of the digital payment process. The common thread? APIs. Attackers are sidestepping traditional security defenses and going straight for API endpoints that handle cardholder data—one of the most critical yet overlooked vulnerabilities.”

In light of the PCI DSS 4.0 updates, Cequence encourages businesses to adopt specific measures to enhance security. These include ensuring secure data transmission by encrypting Primary Account Number (PAN) information across public networks and securing API endpoints, focusing on transmitting only encrypted data.

Businesses are advised to identify vulnerabilities proactively in custom application code before rollout, perform continuous testing and monitoring for anomalies, and deploy automated preventive controls to safeguard against both standard and business logic attacks. Implementing real-time threat prevention is essential to block malicious traffic before it impacts applications.

With these concerted efforts, organizations can better position themselves to comply with evolving Public Cloud Interconnect (PCI) standards while effectively mitigating against burgeoning cyber threats.