The cautionary tales abound regarding the protection of payment data – credit and debit cards, and ACH (or banking) information. Bad guys are seemingly around every corner looking for ways to steal data. It’d easy to believe that stealing payment information requires a great deal of technical knowledge and a lot of time. One is almost tempted to envision the old Spy vs. Spy cartoons in Mad Magazine. (The picture to the left is The White and Black Spy, from Antonio Prohias‘ Mad Magazine comic strip.) Unfortunately, sometimes the low-tech scams still work the best.
Social engineering is still one of the most effective ways of stealing sensitive data. According to Wikipedia, “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.” In other words, worm your way into someone’s confidence and you can convince them give up critical information. In the context of payments, this may take the form of someone telling you that they are calling to help you with your merchant account and can quickly troubleshoot an issue (that you may or may not be experiencing) if only you’ll provide your merchant ID and password. The thief now can access your merchant account at will and doesn’t have to resort to any technical wizardry to do so. They can process stored cards for payments to your merchant account, which would result in angry customers and multiple chargebacks.
Another common scam is the “skimmer.” In this scenario, someone that has access to the card terminal or card swipe device replaces the card reader with a “skimmer” which duplicates the information and can be downloaded or sent to another individual. The information can then be sold or even used to make counterfeit cards. Skimming is most commonly seen in restaurant environments, where servers have access to cards and are often able to take those cards out of the line of sight in order to process the payment. Here is an example of a skimming ring that was fairly successful.
These are just a couple of the methods used by data thieves to misappropriate financial data. Of course, the most reliable way to ensure that you don’t fall victim to a data thief intent on gathering your customers’ financial data is simply not to store it.




