Your credit card got hacked…how did it happen?

We read every day stories about people’s credit cards that were “hacked”.  We put the word hacked in quotes because it’s really not the correct term.  The better word is breached.

Regardless of the what you call it, the bad guys got your credit card number and now you have to jump through a bunch of hoops in order to fix it, from calling the credit card provider, to looking over your statements to see where all the bad guys used your card.

But how did you get here?  Where did the bad guys get your card?  When did it happen?  What method did they use?

First thing’s first.  It most likely didn’t happen recently.  Unless you lost your card, chances are your card was compromised weeks, if not months ago.  So don’t blame the last place that you used your card.  Not only did they probably not have anything to do with it, but you’re also making possibly a slanderous statement against that company and could find yourself in legal trouble.

The card may have been compromised at a merchant who was not PCI Compliant, a requirement for any merchant who takes credit cards.  Unfortunately, many merchants don’t have a clue that they need to be compliant, or under the assumption that they already are, based on wrong information they are receiving from their credit card processor.  Here’s some simple facts:

  •   No breach has ever occurred at a merchant who was 100% PCI Compliant.
  •  All breaches that have occurred were at merchants who were not PCI Compliant.  

The card may have been breached at a gas station or ATM that had a skimmer installed.   This method collects card information for a period of weeks or months.  The bad guys (and girls) then take the numbers and encode them on pre-paid credit cards they purchase at a drug store, and go on shopping sprees.  The length of time between the skimmed cards and the using of the accounts could be a few months.

Banks have become smarter when it comes to compromised accounts.  Many years ago when a card was compromised, the victim would find charges that were made in other states or even other countries.  Today, if there’s suspicious activity on an account, often times the bank will call the account holder and ask them if they are in another state.  If they are not, they will not authorize the transaction.

Because the banks are now monitoring accounts, the bad guys are adapting.  Usually, if a card holder is based in a particular ZIP code, the bad guys will harvest all of the account numbers for that area, then descend on that area and begin to use the compromised accounts in that area.  That raises less suspicion with the banks.  However, the time between the breach and the using of the account can be weeks or months.

Here’s a great article that gives you a very detailed view on credit card breaches.

If you’re a merchant who takes credit cards and are not sure if you’re PCI Compliant, contact PC Medics of Alabama today at 205-201-0389 or via e-mail a info@pcmdx.net for a free consultation.  Our PCI Compliance experts will go over your network and give you recommendations on how to become compliant.