Identity theft, data breaches, skimming and other attempts to steal consumers’ information grab headlines, but often your credit cards themselves are your first line of defense against such attacks. Here’s what you need to know about credit card security.
Credit cards can help protect you from fraudsters. And you can activate other security measures to keep your card data safe.
Built-in security features can help keep your credit cards safe, and you can take extra steps to protect your data.
Identity theft, data breaches, skimming and other attempts to steal consumers’ personal and credit card information grab headlines, but often your credit cards themselves are your first line of defense against such attacks, and you can take additional steps to further shore up your security.
“I think a lot of people don’t realize the amount of security already built into cards,” says Michael Bruemmer, vice president of consumer protection for the credit reporting agency Experian.
See related: How do credit cards work?
What security features do credit cards have?
Credit card security features
For about four decades, credit cards have had a magnetic stripe, which contains such data as the cardholder’s name, account number and card expiration date.
Most cards still have the magnetic stripe, although the U.S. began its shift to EMV technology in 2015, with a computer chip used to store card data. EMV stands for Europay, Mastercard and Visa, the three companies that first agreed to the new technology in 2002.
An EMV card generates a unique transaction code every time the card is used for payment. That is designed to prevent criminals from creating counterfeit cards.
But experts are finding not all EMV cards are fraud-proof. A recent security alert from Visa, as well as a recent study, noted that malware that can be placed on point-of-sale terminals that can be used to steal EMV data. That information then can be sold on the dark web to create new credit cards with magnetic stripes, according to a July 2020 blog post by security expert Brian Krebs.
Both a northeastern grocery store chain, Key Food Stores Co-Operative Inc., and a Georgia liquor store seem to have had data stolen in that manner, Krebs wrote.
Other security threats remain with cards designed with EMV technology because not all ATMs and point-of-sale devices have been converted to read the chips and “some merchants are not authenticating the chips for all transactions,” says Tracy C. Kitten, director of fraud and security for Javelin Strategy & Research.
Credit cards also have a card verification value (CVV), a three- or four-digit number that provides an additional layer of security. If you’re making a transaction online or by phone, the merchant may request the CVV to help verify that the transaction is legitimate.
Retailers may store your credit card account number in their databases, but they aren’t allowed to store your CVV number.
“In addition to the security features on the card themselves, a lot goes into fraud prevention on the back end that sometimes cardholders aren’t even aware of until there’s an alert or suspicious transaction,” says Prithvi Prabhu, vice president of risk and pricing at Avant, which offers credit cards to help consumers build or rebuild their credit.
See related: Is dynamic CVV the ultimate in credit card security?
Freezes, locks and virtual card numbers
Other features, either built into your card or that you can choose to implement, also can help keep your information safe.
“Card controls are an essential staple these days,” Kitten says. “Providing the consumer with the ability to turn their payment card off and on whenever they like provides added security.”
Discover, for example, has a Freeze It feature on its credit cards. If you’ve misplaced your card, you can go online, use the mobile app or call the company to put a freeze on your credit card so new transactions can’t be made. When you find your card, you can unfreeze your account.
Citi credit cards have a similar Quick Lock feature, which allows you to lock and unlock your card online or using a mobile app.
If you are worried about the security of your online purchases, Capital One also offers you the ability to request a virtual card number specific to that particular merchant.
Some credit cards allow you to set your own controls, such as the number of transactions that can be made each day, the dollar limit for transactions or the geographic area in which the card can be used, Bruemmer says.
With Citi credit cards, for example, you can have an alert sent to your phone if a transaction takes place outside the U.S., if the card isn’t present at the time of the purchase or the transaction amount exceeds the limit you set.
“Consumers should look for a card that provides these extra security features to increase their chances of not falling victim to credit card fraud,” Prabhu says.
One big benefit of using a credit card is that you have zero liability if you can prove your card was used fraudulently, Bruemmer says.
Stolen cards for sale
Yet even with protections available, the cybersecurity company Sixgill found more than 45 million credit cards for sale on the dark web during the first half of 2020, and almost half of those being sold came from the U.S.
Despite the staggering number of cards for sale on the dark web, the bright spot was a steep drop in the number of cards available. During the second half of 2019, more than 76 million cards were for sale.
A crackdown by Russian law enforcement agencies on these credit card markets on the dark web was responsible for much of the decline, says Michael-Angelo Zummo, cyber threat intelligence specialist at Sixgill.
In addition, many states imposed lockdowns this spring because of the COVID-19 pandemic, preventing fraudsters from gaining access to point-of-sale systems at some retailers. Because of that, “threat actors have halted card cloning services and shimmer/skimmer sales,” Sixgill wrote in its August report.
- The largest number of credit cards for sale on the dark web worldwide came from Visa. The credit card issuer had 55% of the compromised credit cards for sale in the first half of 2020, Sixgill found. Visa is the world’s largest credit card issuer – it had 336 million cards in circulation in the U.S. in late 2018, and 771 million in the rest of the world.
- Mastercard ranked second, with one-third of the compromised cards. It had 231 million cards issued in the U.S. and 644 million in the rest of the world.
- American Express had 6% of the cards for sale on the dark web. The issuer had almost 54 million credit cards in circulation in the U.S. and 60 million in the rest of the world.
- Discover had just 1% of cards for sale, Sixgill found.
U.S. credit cards probably are in demand, Zummo says, because “threat actors, I think, believe U.S. credit cards have higher limits than the rest of the world.”
Americans also tend to own multiple credit cards, with the average American having roughly three, according to a Federal Reserve report.
Although Russian law enforcement officials shut down several major credit card marketplaces on the dark web, Zummo says “we’re always finding new credit card markets popping up. I wouldn’t be surprised if the number of cards for sale on the dark web rebounds pretty quickly.”
How to protect your credit card information
Consumers also should be vigilant to protect themselves from the threats posed by cybercriminals.
One simple way is not posting your credit card information on social media, Bruemmer says, and not sending it to a friend via email or text, where it can be intercepted.
Kitten recommends regularly monitoring your account statements for any suspicious activity.
If you’re using your credit card at a gas station or other retailer, make sure a skimmer hasn’t been attached to the point-of-sale terminal to collect your card information. Check for a plastic overlay or other loose parts to try to be sure it hasn’t been tampered with, Zummo says.
The holidays are right around the corner, and they’re a prime time for cybercriminals to steal your information and then sell it on the dark web, Zummo says.
Consumers need to be “hyperaware of the type of threats out there,” he says.