Tipping foil is used to enhance and secure financial institutions’ cards. The metallic ribbon is fixed on the card’s embossed characters, helping to bring out the embossed characters even more. This results in clearer alphanumeric characters that are easier to read. This ribbon also improves bank card durability, as it’s designed to resist daily wear and tear and to maintain plastic card quality over the years. They are like the “makeup” for the face of the card. Tipping foil is essentially stamped onto the raised lettering during the in-line vertical personalization process. What is important to remember is that the embossed, foiled letters are now reversed on the sheet of foil they were stamped from, much like a typewriter ribbon. The physical impression left behind on the foil is why it is so critical that tipping foil needs to be destroyed prior to throwing away.
However, this method of creating credit/debit cards is currently being phased out. Many years ago, numbers had to be raised and embossed on the front of the card so when it was run through a card reader, an imprinted image of those numbers would appear on a slip of paper for the customers to sign. But traditional magnetic stripes are well on their way out as “microchip” card readers are becoming the new way to pay. Magnetic stripes on cards contain all of the cardholder information needed to make a purchase or duplicate the card. As technology advances, so do the world’s best hackers, and the magnetic stripe is significantly becoming easier for people to steal data from.
The EMV® (Europay, Mastercard, and Visa, after the three credit card networks that originally developed the protocol) credit and debit cards equipped with computer chips are now the global standard used to authenticate transactions. The data stored in a magnetic stripe is stagnant — it is how it is, and always stays the same. On the contrary, the chip in the card generates a unique code for each transaction and is only used once. If a thief were to copy the chip’s information to validate during a transaction, they wouldn’t be able to. No two transaction codes are ever repeated, so each code becomes useless following the completion of the transaction it represents.
The difference between contactless (RFID) transactions and chip transactions is the method by which the data is transferred. Radio frequency-enabled cards require the card to be within a short proximity of the payment terminal, rather than inserting the card into a cheap reader. EMV chip cards and contactless cards are both more secure than the magnetic stripe. Although, cards equipped with chips do not equate to fraudulent immunity by any means. NFC (Near Field Communication) skimming is where EMV-enabled cards can still be subjected to information being stolen. Near field communication skimmers utilize a wireless technology that allows data to transfer from a mobile device to a card reader within a short distance.
Consumers and organizations alike must properly shred their expired or useless cards that contain PII, whether that be in form of an EMV chip or residual printed tipping foil that still withholds information. Luckily, companies like SEM offer a host of devices specifically designed to ensure everyone has the opportunity to securely take control of their personal data and destroy it once and for all.
The Model DS-400 is one of our top multipurpose turnkey disintegrators. This powerhouse high security model was evaluated by the NSA, listed on the NSA/CSS EPL, and specifically designed to destroy metal cards and license plates. This device can also securely destroy classified paper and CDs as well as other unclassified media stored on smaller forms of e-media such as flash and thumb drives, solid state drives (SSDs), and SIM chips.
The Model 0205NANO is just one part of a revolutionary SSD destroyer duo. The NANO is a mobile crushing solution that was solely designed for the destruction of the world’s smallest forms solid state media. From Compact Flash Type 1 drives to SOIC-8 and SD cards to PLCC-32 drives, the 0205NANO crushes the SSD beyond recovery by the specially crafted and designed internal rotors.
The second solution in the 0205 SSD disintegrator duo is the Model 0205MICRO. Like the NANO, the MICRO was specifically designed to destroy a wide variety of other SSD media such as, cell phones, PC boards, IronKeys, small tablets, and more.
The key to understanding how to destroy something properly is by first having an understanding of how said technology works. A number of our disintegrators would also do the job for destroying tipping foil, EMV chips, SSDs, and various media, at a number of different volumes. We also have devices that can easily destroy tough metal credit cards.
Classified or unclassified, there’s a way to destroy it. Leaving data in a stockpiled room “unsure of what to do” with it is not excusable, and yet many still haven’t educated themselves further to see how their negligence is putting their lives and companies at risk. Mitigate those risks today and be smart when handling personally identifiable information (PII) with Security Engineered Machinery. We’re always eager to help answer questions and can assure you we will help you meet your destruction requirements.
In the digital age, enhanced debit and credit card functionality has led to an increase in frauds and scams. Given the sensitivity of the information attached to consumers’ payment cards, the critical need to ensure their security from the time of production through every swipe at a retailer or input on an e-commerce website became apparent.
What is PCI DSS?
Visa introduced the first set of credit card security standards—the Cardholder Information Security Program (CISP)—in October 1999, and gave merchants until May 2001 to comply. Other payment card companies would follow suit. These standards created major difficulties for merchants because compliance regulations were different for all major payment card companies, and total compliance was both expensive and laborious.
To combat the rising levels of fraud and create a universal set of security-compliance standards, the five major payment card brands — Visa, MasterCard, American Express, Discover, and JCB — formed the Payment Card Industry Security Standards Council (PCI SSC) in 2004 and released the first set of unified standards to protect vital consumer information: the Payment Card Industry Data Security Standard (PCI DSS). Since its inception, the PCI DSS has undergone nine updates, the latest being version 3.2.1, released in May 2018.
Under the agreement’s terms, all entities that take part in transmitting or storing cardholder information must be PCI DSS-compliant. In addition to merchants and retail outlets, such entities include e-commerce sites, software as a service (SaaS) providers involved in payment gateways, financial institutions, and security printers. These regulations are intended to ensure that organizational policies regarding data retention, data disposal, and data security are effectively implemented and enforced.
It is important to understand that, although PCI DSS is not a law, the penalties for noncompliance can be quite steep. The PCI SSC does not impose penalties directly. Instead, the council reports regulation infractions to the payment card brands. In turn, they penalize the offending merchant’s acquiring financial institution, which then penalizes the offending merchant.
Data Covered Under PCI DSS
There are two types of data that fall under PCI DSS regulations on data storage: cardholder data and sensitive authentication data.
Cardholder data includes primary account numbers (PANs), cardholder name, card service code, and card expiration date. This data can only be stored while a merchant is waiting for a transaction to be authorized. Anytime the PAN is mobile, it must be encrypted; otherwise, it must be truncated to be unreadable (typically, only the first or last four digits will show when the PAN is static). This data may only be retained for five years, and must be examined quarterly during that time frame to ensure correct storage procedures are followed.
Sensitive authentication data is not to be stored by merchants at any time. This includes track 1 & 2 data contained within the magnetic stripe on the back of the card, CVV2, CVC2, CID and CAV2 codes (card verification codes), and PIN numbers. The only exception is information needed to complete a transaction, such as a PIN number or card verification code. In those instances, such information must be completely disposed of upon transaction completion.
Financial Institutions & PCI DSS
To remain PCI DSS-compliant, financial institutions must follow a strict set of norms to ensure Personally Identifiable Information (PII) is not compromised, including the following:
• Regularly facilitating controlled attempted breaches of the network and cardholder data environment (CDE), along with any systems connected to it;
• Performing quarterly checks for both authorized and unauthorized wireless access points; and
• Conducting white- and-black-box penetration testing on network and application layers anytime significant changes have been made (or at least once per year).
If any of the tests identify issues, the institution should immediately fix the issues and retest until all issues are resolved.
In addition to regular and rigorous testing, financial institutions are responsible for PCI DSS-compliance enforcement for their acquired merchants. They determine how merchants must verify compliance, and they are responsible for rectifying situations when acquired merchants are deemed to be in violation. The resulting fines are levied by the payment card companies on the financial institution, which then trickles the fine down to the merchant in a variety of ways, including special fees, increased processing and transaction fees, and monthly fees. If issues are not resolved, the financial institution could terminate its relationship with the offending merchant, and the merchant could forfeit its authorization to accept payment cards altogether.
Since PCI DSS compliance starts at card production and ends at card destruction, financial institutions must also account for the card-creation process, by which they must verify that their security printing process or vendor is also PCI DSS-compliant.
Security Printing & PCI DSS
Regardless of whether the facilities manufacturing payment cards or any part of the payment cards are associated with the financial institutions issuing the cards, they are subject to further PCI DSS regulations for maintaining the security of PII. Since a breach at one of these facilities could have severe consequences, both the electronic functions and physical premises must be secure to comply with the PCI DSS.
PII must always be securely encrypted during storage and transmission. The only exception is during the PII customization phase. During this time, the data is not to be on any public-facing network or connected to the internet in any way. Immediately after the information is entered, the data must be encrypted again, which absolutely must occur before reconnection to a network or the internet.
Any vendor handling PII must restrict access to a list of designated individuals who are authorized to enter sensitive cardholder data or access the ability to encrypt or decrypt PII. The vendor must also have a stipulated policy regarding any removable media containing PII. This media must be clearly labeled, stored in a secure location within the facility, and tracked during all movement. An authorized individual must oversee this function, and that person must not have the ability to decrypt any of the data within. When it is possible to delete the data on removable media, the media must be destroyed.
A Chief Information Security Officer (CISO) must be designated to oversee the vendor’s information technology security as well as to report the status of compliance and potential threats to executive management on a monthly basis. This person must also not complete tasks or responsibilities which they approve.
The CISO is responsible for approving network and firewall configurations, which must be in compliance with the PCI DSS regulations. This includes the documented flow of cardholder information from input to destruction (e.g., the stipulation that the system housing the cardholder information must be separate from any other vendor or internet networks and not housed on the same server rack).
Any remote access is restricted to the administrator of the network or system components. Quarterly external vulnerability scans must be completed by a PCI SSC- approved scanning vendor, and internal and external penetration tests must be performed annually and subsequent to any major infrastructure change. Any keys to the premises and sensitive areas must be well logged and accessible only to the designated key holders.
The vendor is also responsible for restricting and securing physical access to the premises. All non-emergency portals must always be locked or electronically controlled, and access must be controlled by a device such as a card reader or biometric scanner. All entrances and exits may allow only one person to enter or exit at a time; in addition, they must be contact-alarm monitored and reinforced to meet local fire and safety regulations. All exterior walls are required to be masonry block or a material of comparable strength, and any windows or doors must be protected against intrusion.
Employee-identification badges/access cards must never contain any logo or company information identifiable by an outside party. Employee access must be restricted to areas necessary for completion of their job functions.
A designated room or building for monitoring a CCTV security system must not be viewable from external locations. Backups of security tapes must be produced daily and kept for a minimum of 90 days. Additionally, if DVR is used, it must be housed in a designated security-equipment room with access restricted to authorized personnel.
A High Security Area (HSA) is any area where payment cards, their components, and/or PII are stored. Production and provisioning tasks are the only activities allowed in an HSA. These areas must also be outfitted with internal motion detectors. Personal items and electronics are absolutely prohibited from these areas. The only personal effects that may be brought inside an HSA are medication and tissues (provided they can be examined through their container).
All processes related to payment card production must be outlined in detail and ensure a traceable trail of possession and production for all cards and card components. Inventory must be thoroughly managed and accounted for, and no unnecessary material may be opened at any time.
All tipping foil reels containing PII must be completely shredded in-house, with dual oversight in an HSA. This should happen at least once per week.
All materials used in the mailing, packaging, and delivery processes must be regulated and inventoried. Wasted mailers must also be logged, as well as mailers completed and transferred to a mailing area. Envelopes containing payment cards should be nondescript and bear no company logos or references. GPS tracking must be in place for the mailers, and vehicle drivers must not have keys that allow access to the mailers being transported. A direct communication channel between the security control room (where movement is also being monitored) and the vehicle must be maintained. Two people must be in the delivery vehicle.
PCI DSS Regulations Regarding Data Destruction
For both paper and electronic data, a comprehensive strategy detailing how to store the media, how long to store it, and how to dispose of it is required for PCI DSS compliance. It is further required that data be destroyed such that it cannot be recreated. The DIN (Deutsches Institut für Normung—German Institute for Standardization) developed internationally recognized standards for data destruction, as outlined in DIN Standard 66399, now globally standardized to ISO/IEC 21964. Security levels of destruction for each form of data are divided into seven categories, with 1 being the least secure and 7 being the most secure.
According to DIN Standard 66399 (ISO/IEC 21964), paper should be disposed of or shredded to a minimum security level of P-4. Particle size should be less than or equal to 160mm2, with a width no greater than 6mm2.
In addition, hard drives should be disposed of at a security level of H-4 or greater. Maximum particle size should be 2000 mm2, rendering it impossible to reassemble the hard drive for data restoration, except by highly specialized machinery. If the hard drive is to be repurposed and retained, complete sanitation of the data to the point of no recovery must be verifiable.
Optical media, such as CDs or DVDs, should be reduced to a maximum particle size of 160mm2 (security level O-4, according to the DIN Standard 66399). Microfilm should be reduced to a level of F-4, or particles no larger than 2.5mm2. Electronic digital media devices, such as USB drives and memory cards, should be destroyed to a minimum level of E-4, which stipulates particles be no larger than 30mm2. Magnetic media, such as cassette tapes, floppy disks, or payment cards, should be destroyed to a minimum security level of T-4, according to DIN Standard 66399—meaning particles must be no larger than 160mm2.
A Quick Word About Metal Payment Cards
Destruction of payment cards is becoming more difficult with the recent release and surge in popularity of metal credit and debit cards. These cards function no differently than their plastic predecessors. They have only increased in number because they score “style points” with consumers. The only real difference is the virtual inability of consumers to shred metal payment cards. Rather than destroy the cards themselves, consumers must now arrange for the issuer to do so. Or use a disintegrator like the SEM Model DS-400 or 1012 Disintegrator.
Being PCI DSS compliant may not be a law, but it certainly is required for all merchants, financial institutions, and security printers. From creation to destruction, it is imperative that PII not be compromised at any point in the process. Be sure that any shredders you use destroy materials to the appropriate level so they cannot be reconstructed. Companies like SEM are very familiar with PCI DSS requirements and have the sophisticated shredding technology required for appropriate data destruction.
Beyond convenience, credit cards can also provide the cardholder with the ability to build credit (which is necessary for major purchases like buying a home or car) as well as to earn rewards and cash back. However, credit cards can also pose a major threat for identity theft, and likely in more ways than most realize.
Credit Cards & PII
Do you have a credit card? If so, take it out and look at it for a moment. From a glance, there’s a host of obvious Personally Identifiable Information (PII) that’s printed right on it—your name as well as the primary account numbers (PAN), which include the card number, CVV code and expiration date. This PII is certainly sensitive data and in the wrong hands could be used for credit fraud and identity theft.
However, there is also PII contained on your card where you might not think of it. For instance, PII data such as card holder name, service code, expiration date, CVV code and PIN numbers are also stored in the magnetic stripe of the card. Another unseen piece of technology within your credit card that holds the same PII data is an RFID chip. The only way to tell if your card has an RFID chip is if it has the words “Blink,” “PayPass,” or “PayWave” on it, or else a symbol that looks like a Wi-Fi signal turned 90 degrees clockwise.
RFID chips provide further cardholder convenience by allowing payment to occur simply by tapping the card on a pad near the terminal instead of inserting the card into a reader. Even though security codes for your RFID chip are generated every time you use it, it only takes one time for a criminal with the right equipment to intercept your RFID chip communication as you perform a payment transaction and steal all of this sensitive information. (Although the RFID signal is very weak and can only be read from a short distance of a few inches.)
And, even though your credit documentation is likely kept at home or in a credit app, there’s still the threat of theft from the paper trail or digital-document trail of PII connected to the credit card. This includes statements, bills and other communication mailed or digitally transmitted to the cardholder.
Issuers, Printers & PII
You don’t just get a credit card out of thin air. There are other players involved who will also have access to your PII for the application of the credit line as well as the creation of the credit card itself. Obviously, the financial institution and/or lender company that issued the line of credit and therefore the credit card to the cardholder also has full matching records (stored via print and/or digital media) of the cardholder’s PII to authorize and process card transactions.
What is often overlooked is the generator of the credit card, the security printer company that the financial institution and/or lender works with to create the cards. A printing plate unique to the cardholder is used to create the design, lettering and even some security features that are printed onto the card. This means the printing plate contains a copy of your PII. And the tipping foil that’s used to personalize cards can also have PAN left on the foil after it’s been used.
Proper Destruction of Credit Cards & PII Contained
It goes without saying that consumers must properly shred their expired credit cards and shred, pulverize or incinerate all paper documentation related to that credit card that contains PII. If the documentation is stored digitally, the data and the device need to be properly destroyed via software or hardware to clear the data and by overwriting non-sensitive information, or by degaussing the media and rendering the magnetic field permanently unusable, and by destroying the media by shredding, melting, pulverization, disintegration or incineration.
For a shredder data destruction machine, consumers should follow DIN Standard 66399, at a minimal Level P-5 for the end-of-life destruction of the credit card and ensuing paper documentation. Shredding at P-5 standards ensures the final particle size has a maximum cross-cut surface area of 30mm2 with a maximum strip width of 2mm, or 2x15mm. Shredded data at this size is unlikely to be reproduced even with special equipment.
The financial institution and/or lending institution should practice the same proper end-of-life destruction with their paper and/or digital record trail of the account information containing the consumer’s PII. The financial or lending institution should also ensure that their security printers practice the same standards for the end-of-life destruction of the printing plates and tipping foil used to create the consumer’s card. For these organizations, it’s recommended that they follow DIN Standard 66399 Level P-5, whether it’s for paper or digital media that stores the PII attached to the card and line of credit.
PII Theft Prevention: Complying with Intergraf
In addition to practicing proper data and device destruction when the printing plate and tipping foil reach end-of-life, the security printer should take preventive steps in the creation of the cards and the materials used. One such way to do so is for the security printer to use only printing machinery that’s Intergraf-certified.
Intergraf is a European-based federation for print and digital communication which works to ensure security of the sensitive data stored within those mediums as they’re created. An Intergraf-certified security printer machine provides: a clear structure of requirements and responsibilities, trusted security for printers and suppliers, recognizable reference for governments and industries, prevention of forgery and counterfeiting, maximum security from development to deployment and increased customer confidence and satisfaction.
Intergraf has developed an international standard for security printers and suppliers (.e.g CWA 14641, CWA 15374 and ISO 14298) that also help to direct how these organizations should destroy the printing plates and tipping foil to render them unusable and irrecoverable. For instance, Intergraf stipulates that the destruction standard for printing plates is DIN 66399 P-1, which renders the particle size to a maximum surface area of 2,000mm2, or 12mm strips.
Finding the Right Data Destruction Machine
SEM has both high-volume and high-security shredders that meet the DIN 66399 standards. It’s important to note, too, that SEM recommends on both consumer and commercial level that the machinery is purchased or leased and kept on-site with the consumer or organization. This ensures contact with the sensitive data is limited to only those authorized to receive it.
Destroying Metal Credit Cards – What’s the Difference?
Metal credit cards are becoming more and more common in today’s high tech environment. Originally reserved for the well-off, these flashy cards have become almost commonplace. Although they often offer the same functionality and benefits as their plastic counterparts, they all come with what’s called the “plunk factor”. Their heavier, sleek design and luxurious feel get you noticed when you plunk them down to pick up the check. However, this plunk factor gives the cards an added density and thickness that means they sometimes need to be destroyed differently than their plastic counterparts.
More Durable. More Information.
Increases in cybersecurity awareness and data breaches have led to a greater demand for better and more secure solutions to control credit information. The need to be able to destroy these heavier more durable cards has become more important than ever, with customers and companies alike looking for the safest and securest way to do so.
Metal cards today can be produced with brass, copper, stainless steel, and even composite mixes of metal and plastic. While data used to just be stored on the print and magnetic strip on a credit card, the push for more security has seen most major card producers add a chip that also stores sensitive information. So we have more durable cards with even more areas with sensitive data on it – data and information that can still be accessed even with the card has expired.
How to Destroy: Shred or Disintegrate?
When it comes time to dispose of metal credit cards either due to expiration or possible fraud, credit card issuers will offer to send customers a pre-paid envelope to send cards back for destruction. Once returned, the credit card company is responsible for recycling or destroying the cards. The PCI Security Standards Council guideline for destruction is to destroy credit cards by “shredding or grinding such that the resulting material cannot be reconstructed”.
One method of destruction is with a heavy duty shredder capable of accepting different types of media including paper, CDs, credit cards, staples, and paper clips. The SEM model F65 cross-cut shredder with a capacity of up to 65 sheets per pass can be used for light volume of metal credit card shredding. It can effectively shred these cards into strips similar to shredded paper strips. Once shredded, there is little chance any of the information on the card can be accessed.
Another method of destruction for metal credit cards is with a disintegrator. These machines use rotary knife mill technology to destroy a variety of bulk material. A disintegrator can shred larger volumes of metal cards at higher capacities and can also be customized to shred to a specific particle size. Available with larger horsepower motors and customizable particle sizing screens, disintegrators like the SEM Model 1012 are designed to be used in multiple applications where secure destruction at higher capacities is needed. Disintegrators offer greater assurance that the data bearing elements (magnetic strips and chips) are destroyed so that the information stored on them is no longer accessible.
Deciding between a shredder or a disintegrator can seem challenging. The proper solution should be based on the needs of the application. Material being destroyed, desired volume and throughput, particle size, and power requirements are all important factors to consider when selecting a destruction device. SEM has experience working with several different credit card manufacturers and various credit card types. If you would like to send us samples of the cards you need destroyed or want to visit us in person to view our capabilities, SEM is here to work with you to ensure your needs are met.
When you work in the secure printing industry, you’re working with Personal Identifiable information (PII) every day. Regulations like the Fair and Accurate Credit Transaction Act (FACTA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and Intergraf have changed the way that we handle and process paper, credit cards, printing plates, and more. So, with all these rules and regulations, are you taking every step necessary when these prints reach the end of their life and need to be securely destroyed?
You may feel that your company or organization is doing a good job destroying data because you’ve been breech-free and have had no major security problems. But in private data and security, threats are constantly evolving, changing, and adapting to the systems that are in place. If you end up being the victim of a breach and word gets out, the following can happen:
– Loss of customers/clients and confidence in your business
– Fraud losses, legal costs, and fines/penalties
– Ultimately lose jobs and go out of business
In fact, studies show that over 60 percent of small businesses that experience a breach never recover and end up going out of business within one year. To avoid this, you need to have a preemptive plan of how to destroy sensitive data correctly and efficiently.
Destruction Guidelines: What Do I Do?
A high quality data destruction shredder can be used to shred all documents that contain any PII. According to FACTA, a shredder needs to make paper unreadable and unable to be recovered. For print, this includes shredding, pulverization, and burning. The NSA standard for print to be unrecoverable is a 1mm by 5mm particle size. A machine like the 244/4 High Security Paper Shredder would do the trick.
In Europe, GDPR not only pushes for just the secure destruction of PII. According to Article 17, the “Right to Erasure”, any consumer can request to have all their personal information wiped from a company at any given time. If a consumer makes the request, the company has 30 days to comply to remove all sensitive information they have on the individual. GDPR standard for paper destruction is a 10mm particle size. This Unclassified shredder list will meet the standard set forth by the GDPR while allowing you to choose a model that fits your workload.
When creating a new credit card data, PII can be left behind before the card is even shipped out. Within the process of printing information on a new card, a printing plate is used to create the lettering, design, and some of the security features on the card. In the same manner, tipping foil that is used to personalize cards can have the numbers from the card left in the foil after use.
To be properly secured and maintain client security, all parts of the process must be properly destroyed, including the credit cards themselves. Intergraf, the European federation for print and digital communication, is a rising standard that is quickly becoming adopted in the secure printing industry. The most security-focused printers are choosing to become Intergraf certified, as more and more clients begin to request that their information is properly handled and destroyed. The standard for printing plates is DIN 66399 P-1, while for credit cards the standard is a minimum of P-5.
When you have a large load of cards to destroy, a machine like the 0201 OMD Optical Media Destroyer would be more than enough to securely destroy cards to a size no one could recover. If you need to destroy credit cards, tipping foil, and printing plates, we recommend using a machine like the 1012/5, which not only destroys all the materials listed, but also runs free of oil.
While the world around us likes to say that print is going away, the reality is that it’s not. The steps that you take today to prepare for the destruction of PII could not only save you money, but your entire job and company as a whole. Keep up to date with the latest standards and use high quality shredders to ensure that you maintain data securely and professionally for you and your clients.