Cardholder fraud creates a compliance headache. We have some tips on how your business should deal with cardholder data to mitigate the risks.
The end of the pandemic saw a decline in some types of fraud. However, criminals continue to adapt their methods and fraud losses still amount to millions.
"Digital skimming" is one of the ways criminals steal cardholder data when they shop online, where criminals add malicious code to a website that steals sensitive information, such as cardholder details, at the check-out stage.
According to the 2022 half-year fraud update released by UK Finance:
The Payment Card Industry Data Security Standard (PCI DSS) is a payment industry security regulation that aims to protect cardholder data. PCI compliance applies to any organisation that accepts, transmits and stores cardholder data.
Only keep data that is required for business, legal or regulatory purposes and make sure that it's kept for a limited time only. Regularly purge data that is no longer needed and dispose of it securely.
You must never store magnetic stripe data, CAV2/CVC2/CVV2/CID, or PIN numbers under any circumstances. And don't store plain copies of credit cards anywhere.
The first six and the last four digits are the maximum number of digits you can display. Anything else must be 'masked'. Masking is required for all credit/debit cards and prepaid cards, bank statements, receipts, and emails containing payment details.
For example, when taking payment. Key the information directly into payment systems instead.
Make sure that once this sensitive data has been used for its purpose that it is rendered unrecoverable.
Never transmit PINs or any other sensitive authentication data without secure encryption. If there's a genuine business need to collect or store cardholder data, then encourage customers and partners to use a secure upload facility for this.
To protect keys used to secure stored cardholder data against disclosure and misuse (including key-encrypting and data-encrypting keys).
You'll be vulnerable to attack if you don't bother removing system default settings or changing vendor-supplied passwords. Remove or disable default account settings before installing any payment system.
We’ve created a comprehensive AML & CTF roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.