Credit Cards & Identity Theft: There’s More Exposure Than You Might Think

August 19, 2019 at 12:23 pm by Paul Falcone

Beyond convenience, credit cards can also provide the cardholder with the ability to build credit (which is necessary for major purchases like buying a home or car) as well as to earn rewards and cash back. However, credit cards can also pose a major threat for identity theft, and likely in more ways than most realize.

Credit Cards & PII

Do you have a credit card? If so, take it out and look at it for a moment. From a glance, there’s a host of obvious Personally Identifiable Information (PII) that’s printed right on it—your name as well as the primary account numbers (PAN), which include the card number, CVV code and expiration date. This PII is certainly sensitive data and in the wrong hands could be used for credit fraud and identity theft.

However, there is also PII contained on your card where you might not think of it. For instance, PII data such as card holder name, service code, expiration date, CVV code and PIN numbers are also stored in the magnetic stripe of the card. Another unseen piece of technology within your credit card that holds the same PII data is an RFID chip. The only way to tell if your card has an RFID chip is if it has the words “Blink,” “PayPass,” or “PayWave” on it, or else a symbol that looks like a Wi-Fi signal turned 90 degrees clockwise.

RFID chips provide further cardholder convenience by allowing payment to occur simply by tapping the card on a pad near the terminal instead of inserting the card into a reader. Even though security codes for your RFID chip are generated every time you use it, it only takes one time for a criminal with the right equipment to intercept your RFID chip communication as you perform a payment transaction and steal all of this sensitive information. (Although the RFID signal is very weak and can only be read from a short distance of a few inches.)

And, even though your credit documentation is likely kept at home or in a credit app, there’s still the threat of theft from the paper trail or digital-document trail of PII connected to the credit card. This includes statements, bills and other communication mailed or digitally transmitted to the cardholder.

Issuers, Printers & PII

You don’t just get a credit card out of thin air. There are other players involved who will also have access to your PII for the application of the credit line as well as the creation of the credit card itself. Obviously, the financial institution and/or lender company that issued the line of credit and therefore the credit card to the cardholder also has full matching records (stored via print and/or digital media) of the cardholder’s PII to authorize and process card transactions.

What is often overlooked is the generator of the credit card, the security printer company that the financial institution and/or lender works with to create the cards. A printing plate unique to the cardholder is used to create the design, lettering and even some security features that are printed onto the card. This means the printing plate contains a copy of your PII. And the tipping foil that’s used to personalize cards can also have PAN left on the foil after it’s been used.

Proper Destruction of Credit Cards & PII Contained

It goes without saying that consumers must properly shred their expired credit cards and shred, pulverize or incinerate all paper documentation related to that credit card that contains PII. If the documentation is stored digitally, the data and the device need to be properly destroyed via software or hardware to clear the data and by overwriting non-sensitive information, or by degaussing the media and rendering the magnetic field permanently unusable, and by destroying the media by shredding, melting, pulverization, disintegration or incineration.

SEM EMP1000-HS Degausser

For a shredder data destruction machine, consumers should follow DIN Standard 66399, at a minimal Level P-5 for the end-of-life destruction of the credit card and ensuing paper documentation. Shredding at P-5 standards ensures the final particle size has a maximum cross-cut surface area of 30mm2 with a maximum strip width of 2mm, or 2x15mm. Shredded data at this size is unlikely to be reproduced even with special equipment.

The financial institution and/or lending institution should practice the same proper end-of-life destruction with their paper and/or digital record trail of the account information containing the consumer’s PII. The financial or lending institution should also ensure that their security printers practice the same standards for the end-of-life destruction of the printing plates and tipping foil used to create the consumer’s card. For these organizations, it’s recommended that they follow DIN Standard 66399 Level P-5, whether it’s for paper or digital media that stores the PII attached to the card and line of credit.

PII Theft Prevention: Complying with Intergraf

In addition to practicing proper data and device destruction when the printing plate and tipping foil reach end-of-life, the security printer should take preventive steps in the creation of the cards and the materials used. One such way to do so is for the security printer to use only printing machinery that’s Intergraf-certified.

Intergraf is a European-based federation for print and digital communication which works to ensure security of the sensitive data stored within those mediums as they’re created. An Intergraf-certified security printer machine provides: a clear structure of requirements and responsibilities, trusted security for printers and suppliers, recognizable reference for governments and industries, prevention of forgery and counterfeiting, maximum security from development to deployment and increased customer confidence and satisfaction.

Intergraf has developed an international standard for security printers and suppliers (.e.g CWA 14641, CWA 15374 and ISO 14298) that also help to direct how these organizations should destroy the printing plates and tipping foil to render them unusable and irrecoverable. For instance, Intergraf stipulates that the destruction standard for printing plates is DIN 66399 P-1, which renders the particle size to a maximum surface area of 2,000mm2, or 12mm strips.

Finding the Right Data Destruction Machine

SEM has both high-volume and high-security shredders that meet the DIN 66399 standards. It’s important to note, too, that SEM recommends on both consumer and commercial level that the machinery is purchased or leased and kept on-site with the consumer or organization. This ensures contact with the sensitive data is limited to only those authorized to receive it.