Published:

How thieves steal credit card data

Payment card fraud comes in many forms and hurts both merchants and consumers. Every time we make a purchase by swiping a payment card or entering an account number online, our personal information becomes a potential target for thieves. Cyberthieves use many tactics to snatch this sensitive data – some are actually very simple. Let’s take a look at four ways thieves steal payment card data.

1. Employees stealing data during transactions

These attacks occur when a customer hands a credit card over to an employee, who then carries it out of sight to process the transaction. After swiping the card through the POS system, the thief runs the card through a skimmer, a small gadget that stores electronic data for illegitimate use. The employee then concludes the transaction by returning the card to the customer, who is totally unaware of what just happened

2. Group scammers targeting credit card readers

Attackers can also steal data by entering a store and replacing a legitimate credit card reader with one that has a skimmer attached to it. This method involves two or three thieves entering a store, each with their own role. One approaches the checkout counter, while the others create a diversion that distracts the store personnel. When no one is looking, the thief at the checkout counter replaces the original credit card reader with the one with the skimmer. Over the course of several weeks, the merchant will unknowingly process transactions through a device that is saving sensitive customer data. The perpetrators then come back to reclaim the device, or, in some cases, the device automatically transmits the data to an offsite computer.

3. Infecting POS systems with malware

These data breaches are more technical in nature and usually more difficult to detect and trace. Cyberthieves use malware to infiltrate a computer, usually through a suspicious looking attachment or a link to an infected website, and then probe for personal data. This malicious software is also used to attack merchant POS systems. In 2013, a data-thieving program called Chewbacca was found on several POS machines all over the world, storing and uploading data to an unknown server.

4. Security weaknesses of third-party vendors

The highly publicized data breach at Target impacted more than 40 million customers, but the resulting investigation discovered that the retail giant’s security system was not to blame. Instead, cyberthieves gained access through the login credentials of a service vendor that was doing ongoing maintenance for Target’s stores. The lesson in this case is that store merchants not only have to be mindful of their own security vulnerabilities, they must also be careful about third party access.

Every transaction is an opportunity for fraud, regardless of whether it is processed in a small town diner or a highly secure corporate server. By staying informed about methods criminals use, training employees on security procedures and policies, and maintaining a secure POS system, merchants can minimize their exposure to risk and thwart potential attackers.