With the rises in technological development, cybercriminals have become more sophisticated in their methods for stealing payment card data. Reports suggest that data breaches are the most pervasive form of identity theft, with over 14 million credit card numbers being exposed in 2017. Anyone's payment card data can be compromised, no matter how careful you are. It's important to familiarise yourself with the ways you can reduce the risks.
What are the biggest threats to card data?
As cyber attackers have become more sophisticated and complex, the number of potential threats to card data has increased rapidly. However, here are the most prevalent examples:
- Criminal hacking: This is the predominant cause of data breaches. Cybercriminals purchase credentials online, find them written down or crack them using a password-generating machine. Passwords can also be simply guessed, which is why ensuring you have strong, secure passwords is essential.
- Physical actions: Interestingly, experts suggest that one in ten breaches of data don't involve technological exploits. Physical incidents involve the theft of paperwork or devices such as laptops, phones or iPads. Card skimming is another threat to card data, as criminals can insert a device into card readers to access payment card information.
- Social engineering: A significant proportion of data breaches originate from hackers impersonating reliable sources. An example of this is phishing, which occurs as cybercriminals send malicious emails that look legitimate. These emails trick individuals into clicking links that give hackers access to their card data. Another example of this is financial pretexting, which sees crooks contact their targets under false pretences. Unlike phishing, this contact can be via email, phone or even through a fake website.
- Malware: Hackers use malware for many purposes, including RAM scrapers which scan the memory of digital devices to collect sensitive information. Point-of-sale (POS) systems are particularly vulnerable to this. Passwords can also be stolen through keyloggers, which work by capturing the keys stuck on a keyboard. Ransomware is the most common type of malware. This malicious software locks users out of their files and demands an online payment to restore access.
If card payment data is compromised, hackers can use the information to steal money or even create new bank accounts in your name. This also means they have access to sensitive personal information, which is a frightening prospect for both businesses and individuals.
How can businesses protect payment card data?
The most important way a business can protect payment card data is by adhering to the Payment Card Industry Data Security Standard (PPI DSS). PCI security for merchants and payment card processors is an essential component of controlling the risks associated with card data threats. For PCI security to be most effective, you should familiarise yourself with the PCI DSS and identify their requirements for security best practises. If your company stores, processes or transmits payment cardholder data, there are 12 requirements that you must adhere to avoid fines and more importantly, to reduce the threat of data breaches. These requirements include:
- Businesses must install and maintain a firewall configuration to protect cardholder data.
- Businesses should not use vendor-supplied defaults for system passwords and other security parameters.
- Businesses are required to protect stored cardholder data.
- Transmission of cardholder data across open, public networks must be encrypted.
- Businesses should use and regularly update anti-virus software or programs.
- Businesses are required to develop and maintain secure systems and applications.
- Businesses must restrict access to cardholder data by business need-to-know.
- A unique ID should be assigned to each person with computer access.
- Businesses should restrict physical access to cardholder data.
- All access to network resources and cardholder data should be tracked and monitored.
- Businesses must regularly test security systems and processes.
- Businesses should maintain a policy that addresses information security for all personnel.
These requirements outline the framework for a secure payments environment. PCI describe their essence in three steps: Assess, Remediate, Report.
- Assess: This is the process of taking an inventory of your IT assets and business processes for payment card processes. You should scan your network with software tools that analyse infrastructure and spot any vulnerabilities. Examples of vulnerabilities might include technical flaws in software codes or unsafe practices in how your organisation processes or stores cardholder data. You should then conduct a Self-Assessment Questionnaire in order to review any threats.
- Remediate: If you have identified any vulnerabilities, you can remediate them quickly before they cause any problems. Patches, fixes, workarounds and changes to unsafe processes are examples of remedial action. Finally, you should rescan to make sure the remediation was successful.
- Report: This means compiling the records required by PCI DSS to validate the remediation. You also need to submit compliance reports to the acquiring bank and card payment brands you do business with.
By following these three steps, you are engaging in an ongoing process for continuous compliance with the PCI DSS requirements. This not only protects you from fines but also enables vigilant assurance of cardholder data safety.
How can cardholders protect payment card data?
Adopting a security-conscious culture both in professional and personal environments is essential to controlling the risks of payment card data threats. Cardholders should check their bank statements regularly and respond to any irregularities immediately by cancelling their cards and contacting the bank.
Both businesses and individuals should also be aware of phishing emails. Many cybersecurity breaches in the workplace originate from employees receiving fraudulent emails. You should never open an attachment that you aren't expecting. As hackers become more sophisticated, phishing emails are becoming more and more complex and creative in their methods of impersonating a familiar sender. You should always check the email address of the sender, as sometimes these are disguised as recognisable companies.
Ensuring that you use a range of passwords and update them regularly is incredibly important. To increase security, you should also consider using combinations of upper- and lower- case letters, as well as numbers and symbols. For businesses, it's essential that passwords are not shared with other employees.
Several students at Lancaster University had their personal data stolen in July 2019. The educational institute officially announced that the university had been a victim to a sophisticated and malicious phishing attack, which resulted in breaches of student and applicant data. They alerted law enforcement agencies and worked closely with them in an attempt to identify the hackers.
This example is not entirely shocking, as research suggests that universities receive the largest number of targeted phishing emails. These emails trick the recipient into clicking a malicious link or transferring funds, which gives the hacker access to card payment data. As technology increases, experts claim that they've seen early signs of attackers using artificial intelligence to generate emails that are virtually indistinguishable from genuine ones. Universities and businesses have a responsibility to audit all machines connected to their networks and the data they hold. Students and customers should also be especially cautious when opening emails containing links, especially if they are not expecting them.