Credit card transactions may be a little more secure due to the Common Vulnerability Scoring System (CVSS) Version 2, which was recently adopted by the payment card industry. The system is co-authored by researchers at the National Institute of Standards and Technology (NIST) and Carnegie Mellon University, in collaboration with 23 other organizations.
When making an electronic transaction, personal payment information is sent to a payment-card "server." The server processes the payment data, communicates the transaction to the vendor, and authorizes the purchase. According to NIST's Peter Mell, lead author of CVSS Version 2, a payment-card server is like a house with many doors. Each door represents a potential vulnerability in the operating system. Attackers check to see if any of the doors are open, and if they find one, they can take control of all or part of the server and steal financial information, such as credit card numbers.
For every potential vulnerability, CVSS Version 2 calculates its risks on a scale from zero to 10. The CVSS scores used by the payment card industry are those for the 28,000 vulnerabilities provided by the NIST National Vulnerability Database (NVD), sponsored by the Department of Homeland Security. The Payment Card Industry Security Standards Council plans to use NIST's upcoming enhancements to CVSS, which will identify secure configurations on operation systems and applications.