Key Points:

• Credit card data must be securely protected due to its sensitivity, as demonstrated by high-profile breaches.
• Adhering to PCI DSS compliance standards is essential for organisations to ensure the security of credit card information.
• Metomic can help financial organisations protect sensitive data in their SaaS, cloud and GenAI ecosystems.

Credit card data is one of the most sensitive data types an organisation can handle. With high-profile data breaches hitting the headlines in 2023, companies such as Capital One and Bank of America have had to deal with the costly fallout of credit card numbers being leaked - something no business wants to go through.

Any organisation handling credit card data should have the necessary security measures in place to ensure that the data is protected, and cannot be accessed by unauthorised users. In this article, we’ll explore the best ways for businesses to secure their customers’ credit card data.

What types of organisations hold credit card data?

Organisations that collect and store credit card data include retailers who accept card transactions - whether in-person or online - as well as online payment processors such as PayPal, Stripe and Klarna.

Financial institutions such as banks, fintech organisations, and credit card companies also store credit card data as they process transactions, or issue credit cards themselves. They will likely have the cardholder’s name, card account numbers, and expiration date on record, as PCI DSS requirements limit the storage of any further information.

Financial organisations can store credit card data in a few different ways, including in:

• Databases that hold sensitive financial information, often encrypted to ensure the data contained is secured
• Secure cloud storage, managed in-house or by a third party
• Online payment gateways that store data temporarily as part of the transaction process

How does PCI DSS ensure organisations protect credit card data?

PCI DSS was created by five of the major credit card companies in order to ensure customer credit card data is protected. It is a necessary measure that any financial organisation processing credit card data must adhere to.

There are 12 requirements that businesses must follow in order to be compliant, including building and maintaining a secure network by installing firewalls, and putting stringent access controls in place.

Protecting cardholder data is the second requirement of PCI DSS, and to fulfil this, organisations must encrypt sensitive cardholder data during transit and at rest, with access denied to unauthorised persons. Data such as CVV codes should not be stored after authorisation to reduce the risk of unauthorised transactions occurring, and strict access controls should be put in place to minimise the chances of sensitive data being leaked or breached.

At an organisational level, PCI DSS requires companies to implement vulnerability management programs such as anti-virus software to maintain secure systems, as well as information security policies so that all employees, as well as contractors and freelancers, are aware of their responsibilities when it comes to data protection.

If a company is using a third party cloud provider, they should ensure due diligence to confirm the vendor is PCI DSS compliant, using audit reports to clarify this. Finally, networks need to be regularly monitored and tested to determine whether the current security setup is appropriate, and whether further measures need to be taken.

Because PCI DSS is so thorough in its requirements, customers can be certain that any organisations abiding by it have some level of protection when it comes to their financial data. If an organisation doesn’t comply with PCI DSS, they can face hefty penalties, loss of payment card processing privileges and reputational damage which can be long lasting.

How could cyber criminals access credit card data and how can they use it?

There are a few ways cyber criminals could access credit card data, including:

1. Malware: Organisations can be hit by hackers using malware to infect computers or point-of-sale systems to collect financial data. Keylogging or memory scraping can help them gain access to the data they desire.
2. Phishing: A phishing email or message can be sent to an employee at a financial organisation to trick them into revealing credit card information, or other confidential data.
3. Data breaches: Bad actors may find a way to exploit vulnerabilities in a financial company’s ecosystem, helping them work laterally through the environment to discover sensitive data that they can sell on.
4. Insider threats: A disgruntled employee can leak information to cyber criminals with malicious intention. Equally, human error now accounts for 95% of data breaches so ensuring the organisation has a solid human firewall in place is vital.

With this information, they can make fraudulent purchases, and/or commit identity theft, for instance, opening accounts in another person’s name - both of which can result in huge financial losses for the victim. Cybercriminals can also sell stolen credit card data on the dark web to other criminals.

The impact of cybercriminals accessing credit card data can be devastating for victims, so financial organisations must ensure they are doing everything they can to mitigate the security risks to their data.

What are the potential implications for consumers and organisations?

There are several implications for consumers when it comes to credit card exposure.

1. Financial risks

Firstly, they could be at risk of significant financial losses due to unauthorised transactions and identity theft, which could take months to resolve. The mental and emotional toll of this can be extremely stressful for individuals, particularly if they are already in high amounts of debt due to credit card use.

2. Loss of reputation and trust

From an organisational perspective, misuse of consumer credit card information can lead to a loss of customer trust, which can result in a loss of business. The subsequent reputational damage can jeopardise the future of the company, as partners and investors can lose confidence in the team, and the security procedures in place.

3. Legal prosecution

If an organisation is complying with industry regulations like PCI DSS, they may also be penalised for a data breach or leak, and have to pay fines to the authorities, or face legal repercussions from governmental organisations, as well as individuals affected by the breach.

To avoid this, companies need to ensure they have implemented stringent security measures, continuously monitoring for vulnerabilities and protecting credit card data to the best of their ability.

How can credit card data be detected and protected from cyber criminals?

Credit card data should be treated as high-risk sensitive data and protected appropriately to avoid unauthorised users accessing it.

Some of the key steps include:

1. Securing the network: Organisations should have firewalls, SIEM tools, and other security measures in place to ensure the network is secured and intruders cannot access sensitive credit card data.
2. Strict access control: Enabling two-factor authentication across all systems containing credit card data can add an extra layer of security to sensitive files.
3. Encryption: All credit card data should be encrypted during transit and at rest to make it unreadable to malicious users.
4. Tokenisation: Replacing sensitive data with non-sensitive tokens, and storing the real data elsewhere, is a great method of obscuring credit card data, so that the information is useless for bad actors.
5. Employee training: The importance of training employees to protect credit card data cannot be understated. Regular training sessions, tailored to their roles, can be effective for helping the workforce take responsibility for any risks they create.
6. Regular risk assessments: Carrying out regular data risk assessments can identify vulnerabilities, and ensures security teams are one step ahead when it comes to protecting sensitive credit card data.

How can Metomic help?

Metomic's data security platform gives financial organisations full visibility over where sensitive credit card data is stored across their SaaS, cloud and GenAI applications.