Every card owner needs to become familiar with the Payment Card Industry security standards. In case if your financial data ends up in the wrong hands, the standards will allow you to assess whether the card provider complied with the minimum requirements to keep your data safe and whether your card provider is liable for the losses you incurred due to a data breach.
All credit/debit card brands are required to adhere to a universal set of standards that ensure the protection of user data for online transactions. These standards detail a set of procedures and policies that a card provider must implement and communicate to its users to protect them from identity theft, loss of financial information and malicious attempts to access cardholder’s personal data. The standards are managed by Payment Card Industry Security Standards Council (PCI SSC), a global platform supported by the world’s major card services providers like Discover Financial Services, MasterCard, Visa, American Express, and JCB International.
For persons with malicious intent and hacker know-how, obtaining individual financial or personal data is a relatively small but certain gain. If an individual cardholder falls victim of targeted data theft, this may lead to personal financial losses, or in the worst case scenario, a full identity theft that will be hard to mitigate and contain in the long-term – meaning that the consequences are likely to reverberate in the future. This implies that aside from the card issuer’s responsibility to protect user data, it is in cardholder’s interest to be aware of possible threats, and of different ways to mitigate them. Unlike obtaining the data of one client for a small gain, targeting an employee of the card service provider and gaining access to the whole system offers a much bigger payoff to hackers. The PCI security standards can be easily applicable both to the services provider and to a responsible service user.
Firstly, cardholder data needs to be protected at all stages of its existence: submission, storage, transmission. For transmission, this means secure encryption of data transferred through networks. Virtual private network services offer an affordable and accessible way to create a safe, encrypted network environment both for the service provider and the service user. Every card owner at some point in their life will have to use online payment services over a public WiFi network. While this is not a good idea in the first place, sometimes there is no way around it (if you find yourself a trip abroad, using hotel or airport WiFi to purchase tickets or book accommodation). Using VPN on public WiFi is a necessary security measure to ensure that your outgoing traffic is encrypted and transmitted through a secure channel, and no one can intercept the credit card data you enter to complete an online purchase. VPN also ensures the security of all web-based services you use, including email and cloud storage.
A secure firewall configuration and up-to-date antivirus software is a secure way to mitigate system vulnerabilities that may expose your banking data. This applies both to the card service providers and to cardholders: ensuring your overall network security will prevent the hackers from singling you out as an easy target for attack. System vulnerabilities evolve and are not always identified and contained by software providers on time. However, installing regular updates to your software is the most straightforward way to keep your network systems protected.
Access control measures
If you happen to store your card credentials in your browser (i.e. let the browser ‘remember’ your card details for future transactions), please reconsider this practice. Instead, use a password manager (like LastPass or KeePass) that allows you to save credit card information in an encrypted manner, and provides better security in case someone gains physical access to your device.
Two-factor authentication is now a standard implemented by all major card service providers for online transactions or online banking. In addition to two-factor authentication for payments, it is advised to implement two-factor authentication for access to your online banking profile, and any online service that requires to store your card details.
Password management is another measure that is both required from the provider and advised to the end user of card services. Default passwords provided by your software or hardware vendor, or web service provider, increase the vulnerability of your data. Choosing strong individual passwords, and changing them every few months is a necessary measure for service providers and customers who take data protection seriously. Re-using the same password to access multiple online services increases your vulnerability to data theft: if, for example, someone gets a hold of your social media password, you may be in for a few unpleasant hours to re-establish your ownership of the account. But if it turns out that your social media password is identical to your login credentials for online banking, the losses will translate into a serious monetary equivalent.
Card payment services have become a routine activity in our everyday life: we purchase tickets, pay our bills, buy presents and order food online, submitting our card details to service providers several times a month. While for the card issuers the increased cybersecurity as a matter of competitive advantage and mere existence in the world of evolving cyber threats, for individual cardholders, online security is a matter of personal data integrity.