Rules for credit card and debit card information security are set forth in the Payment Card Industry Data Security Standards (PCI-DSS), a set of industry regulations. Failure to comply with these standards can result in penalties and increased transaction costs. In additional, stolen credit cards are often used to fund other criminal activity.
As part of maintaining PCI compliance, it is important to be aware of all the various ways credit cards and credit card information can be compromised. Here are a few common ways sensitive information can be obtained:
- Skimmers - malicious card readers which are placed discreetly over credit card and debit card insertion points. These devices can record confidential information contained on the card and are often coupled with a hidden camera to record keystrokes of a PIN or other personal information.
- Magnetic Card Readers/RFID (radio-frequency identification) readers - devices which can record the information contained in the magnetic strip on the card when the card is used to make a purchase. Once information is obtained, any card with a magnetic strip can have that information loaded onto it, and it can then be used for transactions.
- Imprint Machines – Card Imprint machines make paper copies of sensitive card information when transactions are made. They can be stolen or compromised, so they must be disposed of properly, according to company policy.
- Social Engineering and Hacking - a hacker or cybercriminal may attempt to phish sensitive information out of unsuspecting employees in a number of different ways. Once the employee becomes victim to opening an email attachment riddled with ransomware or clicking on a link that leads them to a malicious website, their company could be at risk for a dangerous data breach. Below are two common methods hackers use to obtain sensitive cardholder data:
- Keyloggers – program that can be installed on a computer without the operator being aware. These can record every keystroke, including credit card information. These programs can be unintentionally downloaded if you click on attachments or open links without checking for red flags and verifying the safety of the email first
- Computer Servers – When credit card information is stored on a computer server, that server must be carefully protected, both digitally and physically. If the server gets stolen, hackers can pull the sensitive data that they need.
Data breaches of sensitive information are often caused by an unsuspecting employee falling for social engineering techniques. Always stop, look, and think before you click on a link, respond to an email requesting sensitive information, or open up an attachment from any sender when you weren't expecting it to arrive. Verify the sender's legitimacy and intention first. Employees who do not take care of sensitive information can lead their organizations into fines, increased operating costs, loss of customer confidence, and even more governmental regulation. Do your part to keep sensitive information safe at all times.