protection that works

Handling Data: Credit Cards

This article is part of the Handling Secrets series. In this first part, Valuing Secrets, we describe how to rate the likelihood of theft for common types of secrets. In the second, Protecting Secrets, we describe the easiest ways to prevent their theft.


Do you store and process credit cards from customers?


The credit card companies wish you wouldn’t.


Some History


They are in an interesting situation. Credit cards, like checks, were invented in a more trusting time. All the information needed to bill someone was on the card, and merchants were trusted not to abuse that privilege when someone handed them a card.


Card information was everywhere—many companies processed card payments by writing down all details of the card and transaction (or taking a carbon copy—some of you may remember the machines below). Then the business would key in all those receipts at the end of the day, send the file to the processor, and wait for a check.



a carbon-copy machine for taking credit card imprints
Do you remember these? It was a different time.

Everything is faster now. That is good for some merchants—you can get your money within a day, and it eliminates a lot of employee hours to copy and rekey that information. It is faster for customers to pay, so they like it too.


On the other hand…

Faster means theft is easier. Credit card fraud is a huge problem for card companies; a large part of that 2.7% haircut you take on every transaction goes toward covering fraud.

The fundamental problem is that the information needed to bill someone is the same information needed to defraud them. This makes card information easy to steal—all you need is access to someone’s ability to bill. Once you get someone’s card information, you can use it to buy things over the internet, or even manufacture your own duplicate credit card to use in physical locations.


People have been taking advantage of this for years. There is a thriving service industry helping criminals steal credit cards. You can buy skimmers: devices that fit on top of card readers, scan all the cards that get used, and save them for future criminal use. Many viruses look for credit card information—if they find some, they will send it back to a place accessible by the criminal controlling the virus.


Many companies have fallen victim to a crime ring stealing their customer’s card data. Usually, those companies find out when all their customers start seeing fraudulent charges a month later.


Because credit cards were originally designed without secrecy in mind, the whole ecosystem of cards and payment terminals and all the services in between is stuck. It would take a lot of money and time to move everyone into a new way of taking payments.


There is a council that every card company belongs to called PCI (Payment Card Industry; creative naming is a low priority). They have been wrestling with this problem and have pushed several changes over the years:

  • Adding a PIN to the back of the card to serve as an extra secret.

  • Replacing the strip with a chip

  • Sending a verification text to the number on file for any internet purchase.

These have all helped with the overall fraud rates, but their long-term strategy is to hit the root of the problem: they want every merchant to stop processing credit cards.


Not directly, anyway. They want the “secret credit card information” of the number, the PIN, and the expiration to stay only within a small group of companies they maintain tight control over. It is much easier to make 30 companies protect these secrets than a million. In their ideal world, merchants would never see or touch a card themselves; they would use a processor for everything card related.


The PCI council uses both carrots and sticks to move everyone toward their utopia of lower fraud costs.


Carrots


The carrots usually focus on making it easier for merchants to take credit cards the right way. You have seen these efforts in action: For in-person payment, Square, Stripe, and Clover all offer integrated Point of Sale machines that are beautiful and often integrate with your accounting platform. Because they are self-contained and communicate over the internet, they are much harder to steal from than the Verifone machines we saw everywhere a decade ago.

A VeriFone device on the left and a modern clover Point of Sale machine on the right.
The PCI Council would much rather you use the device on the right.

For online purchases, Braintree, Stripe, Adyen, and Shopify let you embed their payment page into your site. When your customer is ready to check out, their card information is sent directly to the processor, you get a transaction ID in your ecommerce tool, and your processor deposits the billed amount in your account.


There are even solutions to take payments over the phone without exposing anyone at your company to credit card information. Eckoh Callguard and Sycurio (formerly Semafone) offer solutions that integrate with your phone and order system, listens for credit cards on calls, send them off to your processor, and blocks the sound of the customer reading their card from your employee. The solutions are not quite as easy to set up as the Point of Sale and ecommerce options, but are still good and getting better every day.


Sticks


While part of success is making the right path the easy path, the PCI council embodies the old adage of carrying a big stick. Companies that store and process card information are contractually bound to do a lot of work to protect it. If someone steals card information and those cards are used for fraud, the council sends out a forensic team to check if they followed those rules. If they have not, they face fines or are even blocked from taking further card payments.


The work is also sometimes a little ridiculous, but that is part of their plan: they want those cards protected, but also want card processing to be annoying enough to convince remaining holdouts to move to a processor.


How valuable are these secrets?


See here for a review of how these factors contribute to the overall chance that someone will steal them.

Credit card data is a stable commodity going for $15–$20 per record. Merchants who process cards themselves may take hundreds per month and may store thousands of cards for rebill. This can work out to $10k–100k for a thief.

There are thousands of crime rings and individuals that buy stolen credit cards. The industry is mature and the prices are somewhat stable.

If you lose a lot of credit cards, fraud occurs, and a card company ties it back to you, three meaningful sources of damage are likely:

  • You get a forensic investigation on your dime.

  • Depending on the severity of deficiencies the investigation finds, they may charge one-time fees, increase the per-transaction fee you pay, and even block you from processing cards.

  • You may pay more in liability insurance premiums, especially if you file a claim to cover the event.

Next Steps

Processing credit cards to the PCI council’s standards is getting harder and riskier as they tighten the screws and companies move away from doing their own processing. Knowing your exposure to credit card theft is a good first step to effectively protecting it.

If you need help, we’re always here to break it down.

Subscribe for more:

  • RSS
  • LinkedIn
  • Twitter
  • YouTube