Skillcast Blog

8 Tips for Protecting Cardholder Data | Skillcast

Written by Lynne Callister | 24 Feb 2023

Cardholder fraud creates a compliance headache. We have some tips on how your business should deal with cardholder data to mitigate the risks.

The end of the pandemic saw a decline in some types of fraud. However, criminals continue to adapt their methods and fraud losses still amount to millions.

"Digital skimming" is one of the ways criminals steal cardholder data when they shop online, where criminals add malicious code to a website that steals sensitive information, such as cardholder details, at the check-out stage.

Cardholder data is at risk

According to the 2022 half-year fraud update released by UK Finance:

  • Fraud losses on payment cards (this includes  fraud on debit, credit, charge, and ATM-only cards issued in the UK) totalled £272.3m in the first half of 2022 
  • This gross loss is a 4% increase on the same period the previous year
  • £480m of fraud was detected and prevented by banks and card companies over the first 6 months of 2022

Tips for protecting cardholder data

The Payment Card Industry Data Security Standard (PCI DSS) is a payment industry security regulation that aims to protect cardholder data. PCI compliance applies to any organisation that accepts, transmits and stores cardholder data.

1. Keep cardholder data storage to a minimum

Only keep data that is required for business, legal or regulatory purposes and make sure that it's kept for a limited time only. Regularly purge data that is no longer needed and dispose of it securely.

2. Watch what you store

You must never store magnetic stripe data, CAV2/CVC2/CVV2/CID, or PIN numbers under any circumstances. And don't store plain copies of credit cards anywhere.

3. Use masking to hide sensitive authentication data

The first six and the last four digits are the maximum number of digits you can display. Anything else must be 'masked'. Masking is required for all credit/debit cards and prepaid cards, bank statements, receipts, and emails containing payment details.

4. Avoid writing cardholder data down

For example, when taking payment. Key the information directly into payment systems instead.

5. Render all sensitive authentication data unrecoverable

Make sure that once this sensitive data has been used for its purpose that it is rendered unrecoverable.

6. Transmit authentication data with secure encryption

Never transmit PINs or any other sensitive authentication data without secure encryption. If there's a genuine business need to collect or store cardholder data, then encourage customers and partners to use a secure upload facility for this.

7. Follow your firm's established procedures at all times

To protect keys used to secure stored cardholder data against disclosure and misuse (including key-encrypting and data-encrypting keys).

8. Change vendor-supplied settings & passwords

You'll be vulnerable to attack if you don't bother removing system default settings or changing vendor-supplied passwords. Remove or disable default account settings before installing any payment system.

Want to learn more about Fraud?

We’ve created a comprehensive AML & CTF roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.