In this blog, we look at the ongoing threat of debit and credit card fraud, explaining why it appeals to cyber criminals, what they do with the stolen information and how implementing the requirements of the PCI DSS (Payment Card Industry Data Security Standard) can thwart crooks’ schemes.
Everyone is a target
You don’t have to look too hard to find cases of payment card fraud. There have already been two massive incidents in the UK in the past few weeks. Ticketmaster was reportedly the victim of a card skimming operation, with 800 e-commerce sites and 40,000 UK customers potentially affected. But that’s small fry compared to what happened at Dixons Carphone. The electrical retailer admitted to a breach involving 5.9 million credit and debit cards. That makes it the biggest breach involving a British organisation.
Meanwhile, US-based department store Macy’s recently disclosed a data breach involving an unknown number of card details. This follows the leak of about 880,000 credit card details at travel company Orbitz, 40,000 credit card details at Chinese-based smartphone manufacturer OnePlus, and countless other incidents.
What does all this mean? For a start, it shows that an awful lot of data breaches involve card details. It also shows that no matter what industry you are in, or where you are based, the threat is manifest. If you process card details, they will be targeted by cyber criminals.
Why crooks target card details
Cyber criminals prize card details more than any other kind of sensitive information, because it is the easiest kind of data to convert into money. They can do it in one of three ways.
First, crooks can use the payment details to commit fraud. This might be as simple as using the information to make online payments – although the nature of the purchase might create a paper trail that leads back to them. Therefore, most card fraud is essentially a money laundering scheme. For example, a criminal might use the card details to purchase gift cards, make a purchase with the gift card and then return the item for cash.
This can also be done on a larger scale as a form of trafficking operation. Cyber criminals often send items purchased with stolen card details to a mule (usually in another country), who sells the item and splits the profits with their accomplice.
Alternatively, cyber criminals can sell card details on the dark web. This is typically less profitable than committing card fraud – with stolen card details selling at about £7 per card – but it’s less risky and time-consuming. Data breaches often involve thousands of leaked details, and there are only so many shops someone can go into looking for gift cards.
Stay secure with the PCI DSS
The PCI DSS outlines best practices to keep card details secure, and is the result of collaboration between major credit card brands American Express, Discover, JCB, Mastercard and Visa. It was unveiled in 2004 to facilitate the broad adoption of consistent data security measures involved in payment card processing.
As a general guideline, any merchant or service provider that stores, processes or transmits cardholder data is required to comply with the Standard.
Download our PCI DSS green paper
Security testing and the PCI DSS attempts to demystify organisations’ security testing requirements. Packed with useful information, this free green paper provides practical guidance on how to test the security of systems and processes, and better protect the payment card information you store.
- How PCI DSS security testing requirements apply to your organisation;
- The difference between vulnerability scans and penetration tests;
- The importance of scanning; and
- How penetration testing fits into your PCI DSS project.