Press Release Banner

Cequence Security Research Uncovers 66.5% of Malicious Traffic Targets Retailers as PCI DSS 4.0 Deadline Looms

Cequence’s CQ Prime threat research reveals 300M account takeover attempts, with retail facing the brunt of malicious traffic

SANTA CLARA, Calif. — March 26, 2025 — Cequence Security, a leader in API security and bot management, today unveiled new insights from its CQ Prime threat research team that reveal a surge in cyber threats as businesses race to comply with the March 31 PCI DSS 4.0 deadline. The research underscores the escalating risks of API-driven fraud, credential stuffing and payment system abuse, particularly in retail and financial services.

Drawing on billions of real transactions and attack data from Cequence’s Unified API Protection (UAP) platform, the report highlights the growing attack surface cybercriminals exploit in payment infrastructure, loyalty programs and product pricing systems.

For a visual summary of the report’s findings, including how attackers are bypassing traditional security layers and strategies to defend against them, download the infographic here.

Key Findings:

  • Scale of Credential Attacks: As the PCI DSS 4.0 deadline approaches, automated fraud is accelerating. More than 300 million account takeover (ATO) attempts were blocked in the past year, illustrating the growing scale of credential stuffing attacks.
  • Retail’s High-Stakes Battleground: Retailers faced 66.5% of all malicious traffic, highlighting their vulnerability due to high transaction volumes and fragmented security postures.
  • Product Search & Pricing Abuse: A staggering 822 million attempts were blocked as 89% of non-ATO bot-driven attacks focused on scraping product pricing. This enables competitive algorithm manipulation, scalping, and real-time price undercutting of legitimate retailers.
  • Loyalty Rewards Abuse: Over 22 million fraudulent attempts were blocked as attackers exploited loyalty programs, treating reward points like cash. These accounts are frequently drained due to easier liquidation than stolen credit cards, often going undetected until significant losses occur.
  • Shopping Cart & Inventory Abuse: Nearly 6 million attacks were prevented as fraudsters weaponized automation to hoard high-demand products.
  • Credit Verification Fraud: Over 69 million attempts were blocked as cybercriminals mass-tested stolen credit card details through low-risk transactions before making larger fraudulent purchases, fueling the circulation of compromised payment data.

“PCI DSS 4.0 is pushing businesses to modernize security, but many are still scrambling to catch up—giving attackers the perfect opportunity to strike” said Randolph Barr, CISO at Cequence. “Account takeovers remain the biggest threat, but we’re also seeing a wave of new, highly sophisticated attacks exploiting every stage of the digital payment process. The common thread? APIs. Attackers are sidestepping traditional security defenses and going straight for API endpoints that handle cardholder data—one of the most critical yet overlooked vulnerabilities. Businesses that focus only on compliance risk falling behind.”

While PCI DSS 4.0 introduces critical security updates, many businesses still struggle with API protection—an area that attackers are actively exploiting. To ensure compliance while defending against real-world threats, Cequence recommends these key actions:

  • Ensure Secure Data Transmission: Encrypt all Primary Account Number (PAN) information when transmitted over open, public networks to prevent unauthorized access.
  • Secure API Endpoints: Identify all API endpoints that transmit PAN and ensure they only transmit encrypted PAN, reducing the risk of data exposure.
  • Proactively Identify Vulnerabilities: Inspect custom application code for security flaws before deployment using automated tools to identify risks in APIs, third-party integrations, and custom applications.
  • Continuously Test and Monitor: Regularly test APIs and applications for misconfigurations or vulnerabilities before production and monitor them for anomalous or malicious behavior in real time.
  • Deploy Automated Preventative Controls: Use security solutions that prevent both conventional attacks and business logic abuse while ensuring sensitive data is not exposed to unauthorized entities.
  • Implement Real-Time Threat Prevention: Identify and block malicious traffic before it reaches your applications using intelligent, automated security mechanisms.

Additional Resources:

About Cequence Security

Cequence is a pioneer in API security and bot management, protecting the applications and APIs that organizations depend on from attacks, business logic abuse, and fraud. Our unique Unified API Protection platform unites discovery, compliance, and protection capabilities, providing unmatched real-time security in the face of sophisticated threats. Demonstrating value in minutes rather than days or weeks, Cequence offers a flexible deployment model that requires no app instrumentation or modification. Cequence solutions scale to meet the needs of the largest and most demanding private and public sector organizations, protecting more than 8 billion daily API interactions and 3 billion user accounts. To learn more, visit www.cequence.ai.

Media Contact
Katrina Porter
press@cequence.ai