Cardholder data refers to any information contained on a customer’s payment card. Some payment cards store data in chips embedded on the front side. The front side usually has the primary account number (PAN), cardholder name and expiration date.
Online or in-person shopping has become the norm in today’s world. Options like PayPal, Amazon, and Apple Pay count on users to store their card information for quick and easy ordering. The use of cardholder data is critically important to merchants and cardholders, and can help retailers get a leg up on their competition.
Most cardholder data breaches start in a variety of ways. Many fraudulent charges are made because of phishing, malicious software or malware, or unauthorized users looking to take advantage of the opportunity. The most common way that cardholder data is stolen, however, is through the physical theft of magnetic re-encoded credit cards.
In-person payment transactions use contact reading technology that electronically reads the card’s magnetic stripe. The data is then transmitted to the terminal, which submits it to the processor. This is how most cardholder data is stolen.
Contact scanners are especially susceptible to physical tampering. Methods include placing a homemade device in the card reader slot, lifting a scanner and installing a “skimming” device, or otherwise misusing the scanner itself. Scanners are typically stolen through mail mis-delivery, a customer or delivery person, a merchant employee, or even a hacker. Once the thieves have a scanner, they can use the stolen card data or encode new cards using it. A scanner can read and encode data once, resulting in a data breach.
Stolen card data is also compromised through malicious software. Malware is a type of software designed to disrupt or damage a users’ computer system. It can be placed on a computer through devices like a USB. Once the computer is infected, the malware will serve as a method to steal the cardholder data. Malware is often placed there through a social engineering attempt, but can also enter from a software vulnerability. Malware is one of the most common forms of attacks on the cardholder data.
The most infamous form of cardholder data is the gift card. These are cards given to someone without a set value, so the gift recipient can decide the amount they would like to put on the card. Gift card thieves will steal the cards’ numbers and then go shopping and use the value on the card. Thieves will also use card numbers to create counterfeit cards. These are often sent to other countries, where they are used on black market websites.
It is not just the merchants who can be affected by cardholder data. Any retailer who uses a card reader to swipe data can be affected. Anybody can be the victim of credit card fraud, and cardholder data is a major factor.
The first step to prevent the cardholder data breach is to be proactive. Anybody who processes cardholder data should use encryption time, not just to protect the data from outside hackers, but also within the organization’s network. Encryption software is usually quite costly. This encourages a need for security consciousness within the organization to ensure encrypted data is not stolen within the IT network. Also, encryption software will need regular updates to be most effective in preventing cardholder data breaches. Software should also be used to identify unauthorized access. By quickly identifying breaches and protecting them, the data breach can be contained.
After being breached, cardholder data can still be used for fraudulent purposes. Any merchant, institution, or individual who is working with cardholder data that is publicly accessible can have credit card fraud committed against them. One way of preventing this is to use chip technology.
Chip technology is an alternative to magnetic stripe technology, which uses a strip to read cardholder data. The strip is thin, and any compromise at the point it is stolen may render the entire card useless. Chip technology causes a more secure form of encryption. Instead of having the data stored in the strip, it is constantly changing and virtually impossible to guess. With chipped technology, merchants are given a unique code for each transaction, so even if fraudulent charges are made, they are not necessarily the same and can be blocked. The most unique feature of chip cards is that they have a microchip inside of them instead of the magnetic strip.
Merchants have become much more cautious with their cardholder data. After a major data breach, many financial institutions will compel the merchant to hold the liability for any fraudulent charges. As a result of this, many merchants have increased their security on their point of sale systems. Any business that is using a card reader can take precautions against cardholder data breaches.