The retailers have not disclosed whether SQL injection was involved in the attacks reported over the last eight months. The respondents' opinions were based on their own experience.
Nearly seven in 10 of the participants worked for organizations that must comply with Payment Card Industry Data Security Standard (PCI DSS). The standard is what retailers have to follow in order get approval to accept payment cards issued by banks.
"I would agree that SQL injection is likely involved because of its prevalence today, but I would also not yet draw a conclusion as we still do not have enough details," Henry said.
For example, Target has acknowledged that the credentials of a subcontractor that had access to the retailer's network were stolen. In addition, malware used to steal 40 million credit card numbers grabbed the data from the memory of the retailer's electronic cash register.
Target also had personal information taken from 70 million customer accounts.
Sign up for Computerworld eNewsletters.