Cracking down on contactless card fraud
The introduction of the £100 contactless payment limit in 2021, designed to offer convenience in a post-pandemic world, has also opened doors for opportunistic fraudsters.
A recent article in the Telegraph reports that contactless card fraud has doubled since this limit was raised, reaching a staggering £41.5m. This alarming trend has caught the attention of the Financial Conduct Authority (FCA), prompting them to prioritise fraud prevention in their new regulations.
As fraudsters become more sophisticated, businesses must adapt and strengthen their defences to protect cardholder data. Skillcast, a compliance training company, provides actionable insights on how businesses can mitigate risks and ensure compliance based on its extensive research and expert opinions.
Understanding the Threat Landscape
Despite a decline in some types of fraud post-pandemic, criminals continue to evolve new tactics. One prevalent method is “digital skimming,” where malicious code is inserted into websites to steal sensitive information during online transactions.
According to UK Finance’s 2022 half-year fraud update, fraud losses on payment cards reached £272.3 million in the first half of 2022, marking a 4% increase from the previous year. Meanwhile, banks and card companies successfully detected and prevented £480m of fraud during this period.
Vivek Dodd, a cybersecurity expert from Skillcast, emphasises the importance of robust security measures: “Fraud prevention isn’t just about technology; it’s about creating a culture of vigilance and continuous improvement within the organisation.”
Skillcast recommends following these eight essential tips to safeguard cardholder data, with expert insights provided by Vivek:
- Minimise Cardholder Data Storage
Only retain data necessary for business, legal, or regulatory purposes, and ensure it is kept for a limited time. Regularly purge unnecessary data and dispose of it securely. Vivek advises, “Maintaining a lean data environment reduces the potential attack surface for fraudsters.”
- Avoid Storing Sensitive Information
Under no circumstances should you store magnetic stripe data, CAV2/CVC2/CVV2/CID, or PIN numbers. Storing plain copies of credit cards is also prohibited. “These elements are prime targets for fraudsters. Eliminating their storage is a critical step,” Vivek notes. - Implement Data Masking Techniques
Only display the first six and last four digits of card numbers. Masking is mandatory for all forms of credit/debit cards and documents containing payment details. “Data masking adds a crucial layer of security by limiting the exposure of sensitive information,” Vivek explains. - Avoid Writing Down Cardholder Data
Enter information directly into secure payment systems rather than writing it down. “Every manual entry point is a potential vulnerability,” Vivek warns. - Ensure Data is Unrecoverable Post-Use
Once sensitive authentication data has served its purpose, it should be rendered unrecoverable. This step ensures that data cannot be misused even if it is accessed. Vivek highlights, “Rendering data unrecoverable is an essential part of the data lifecycle management.” - Encrypt Data During Transmission
Never transmit PINs or other sensitive authentication data without secure encryption. Encourage the use of secure upload facilities for collecting or storing cardholder data. - Adhere to Established Security Procedures
Protect keys used for securing stored cardholder data against misuse and unauthorised disclosure. Follow your firm’s procedures rigorously. “Consistency in following security protocols is essential to prevent breaches,” Vivek mentions. - Change Default Settings and Passwords
Remove system default settings and change vendor-supplied passwords to avoid vulnerabilities. Vivek suggests, “Default configurations are often exploited by hackers; customising settings significantly reduces this risk”
The rise in contactless card fraud underscores the necessity for businesses to comply with regulations like the Payment Card Industry Data Security Standard (PCI DSS) and foster a proactive security culture.
By implementing these best practices, businesses can significantly reduce the risk of cardholder data fraud and contribute to a safer financial ecosystem. The FCA’s renewed focus on fraud prevention is a timely reminder that security must evolve in tandem with convenience in the digital age.