The end of the pandemic saw a decline in some types of fraud. However, criminals continue to adapt their methods and fraud losses still amount to millions.
"Digital skimming" is one of the ways criminals steal cardholder data when they shop online, where criminals add malicious code to a website that steals sensitive information, such as cardholder details, at the check-out stage.
Cardholder data is at risk
According to the 2022 half-year fraud update released by UK Finance:
- Fraud losses on payment cards (this includes fraud on debit, credit, charge, and ATM-only cards issued in the UK) totalled £272.3m in the first half of 2022
- This gross loss is a 4% increase on the same period the previous year
- £480m of fraud was detected and prevented by banks and card companies over the first 6 months of 2022
Tips for protecting cardholder data
The Payment Card Industry Data Security Standard (PCI DSS) is a payment industry security regulation that aims to protect cardholder data. PCI compliance applies to any organisation that accepts, transmits and stores cardholder data.
1. Keep cardholder data storage to a minimum
Only keep data that is required for business, legal or regulatory purposes and make sure that it's kept for a limited time only. Regularly purge data that is no longer needed and dispose of it securely.
2. Watch what you store
You must never store magnetic stripe data, CAV2/CVC2/CVV2/CID, or PIN numbers under any circumstances. And don't store plain copies of credit cards anywhere.
3. Use masking to hide sensitive authentication data
The first six and the last four digits are the maximum number of digits you can display. Anything else must be 'masked'. Masking is required for all credit/debit cards and prepaid cards, bank statements, receipts, and emails containing payment details.
4. Avoid writing cardholder data down
For example, when taking payment. Key the information directly into payment systems instead.
5. Render all sensitive authentication data unrecoverable
Make sure that once this sensitive data has been used for its purpose that it is rendered unrecoverable.
6. Transmit authentication data with secure encryption
Never transmit PINs or any other sensitive authentication data without secure encryption. If there's a genuine business need to collect or store cardholder data, then encourage customers and partners to use a secure upload facility for this.
7. Follow your firm's established procedures at all times
To protect keys used to secure stored cardholder data against disclosure and misuse (including key-encrypting and data-encrypting keys).
8. Change vendor-supplied settings & passwords
You'll be vulnerable to attack if you don't bother removing system default settings or changing vendor-supplied passwords. Remove or disable default account settings before installing any payment system.
Want to learn more about Fraud?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.