Why Are Credit Card Numbers Leaking?

The most interesting type of data for cybercriminals is undoubtedly credit card data.

For precisely that reason, a dedicated standard exists – PCI-DSS – created and observed by the payment card industry. The PCI DSS standard is pretty thorough and aims at increasing the security of systems that work with credit card data (or, as it is named in the standard – cardholder data).

Unfortunately, that has not been enough to stop data breaches. In fact, it turns out that card-not-present attacks are on the rise. But how is that happening? How are credit card numbers leaking?

Security Measures Companies Take To Protect Cardholder Data

Let’s first discuss the measure that most companies utilize in order to protect their cardholder data – tokenization. Tokenization is replacing the cardholder data with a meaningless token in order to allow storing it in less secure environments. It might be an unpopular opinion, but tokenization is not a security measure, it’s a compliance measure that simply lets you have only part of your databases PCI-DSS certified. It does reduce the attack surface and therefore the compliance surface. There’s also the so-called “stateless tokenization” which allegedly doesn’t store the mapping between the token and the credit card number and instead transforms it on the fly. Unfortunately, that’s in many cases either just marketing or format-preserving encryption, which is weaker than general-purpose encryption.

Tokenization is great for e-commerce, as any website can use a payment provider without working with cardholder data itself, but this is just shifting the security measures to a more protected environment. However, within that environment, data breaches are still possible, especially if PCI-DSS audits are done “on paper”.

Cardholder Security Breaches That Are Often Neglected

Other ways that credit card data can leak circumvent the need to breach the secure cardholder environment and try to get the data before it is sent there. So let’s see a couple of ways that cardholder data can leak:

  • Insiders – privileged insiders with access to the token-to-cardholder data database are well-positioned to exfiltrate the data. Numerous measures exist in PCI-DSS to prevent that, including logging, but in reality, a knowledgeable insider can tamper with the logs and cover their tracks and/or block the connection for the log collector. It’s not always possible, of course, but some breaches happen exactly due to privileged insiders.
  • Server malware – server malware can do what the privileged insider can. It “only” has to get there. That’s hard, but through a combination of unpatched vulnerabilities, stolen credentials, and a lack of sufficient monitoring, sophisticated malware can get in. That’s rarely employed in reality, but it’s worth mentioning
  • Cardholder data in logs – occasionally some developer makes a mistake that gets past review and thousands of credit card numbers end up in logs files. Log files are much less protected than the cardholder database, so attackers can look and sometimes find credit cards in logs files.
  • Formjacking – if they can’t get in a secure environment, criminals try to collect credit card data before it enters there. The so-called “magic art” attacks use script injection (via compromised static resources) to collect the data as the user is typing it.
  • Phishing – why to bother even attacking a legitimate website when you can impersonate it, send a few hundred thousand emails, and collect cardholder data. This is typical with online banking related phishing – attackers send phishing emails, claiming that the user has to update their online banking profile. However, instead (or in addition) to their credentials, users are asked for their credit card details. And unfortunately, that works.
  • Client-side malware – attackers can scrape credit card info not only by compromising website static resources – they can scrape it by using keyloggers. As with phishing, this is entirely a user issue – companies can do very little to prevent that from happening

All of these would be a much smaller issue if 3D secure passwords were widespread. They are effectively a method of 2-factor authentication which adds “something you know” or even “something you have” to the mix, which makes knowing the credit card number and CVV/CVC useless on their own. But the usability aspect of the 3D password is one of the reasons for lower adoption.

What’s The Ultimate Way To Prevent Cardholder Data?

There is no single way to prevent cardholder data breaches. It would certainly help if the data was per-record encrypted, like we do in SentinelDB, in addition to being tokenized, so that even if a malicious actor (insider or outsider, manually or through malware) got access to the database, or to a backup lying somewhere unprotected, the data would be useless. And malicious insiders may be less tempted to dump the data if they could not cover their tracks by tampering with logs. But those measures alone do not protect you from form jacking or phishing your customers. Breach protection requires a holistic view and the appropriate tools at each stage.


How LogSentinel SIEM Reduces The Cardholder Data Breach Risk?

Insiders threat prevention

With LogSentinel SIEM, you have a unified dashboard for real-time control and insight about your employees’ activities. This way you can minimize insider threat risk at reduced operational cost, and also minimize effort on audit, forensics and fraud detection.

Threat detection

LogSentinel SIEM can prevent malware with brute force monitoring and anomaly detection. LogSentinel discovers anomalous insider behaviour and measures risks based on rules and machine-learning

Cardholder data in logs

Even if someone occasionally makes a mistake and allows cardholder data in logs, LogSentinel SIEM ensures full privacy of logs. All logs are being encrypted, not allowing any cardholder data leakage through there.

Website Integrity Monitoring for Website Formjacking (Magecart) Protection

To prevent companies from form jacking attacks, LogSentinel SIEM has a dedicated integrity monitoring module that alerts you for any script changes without the need for any additional setup on your website. Get your site protected from form jacking at reduced operational cost, and minimise the efforts on audit and forensics. LogSentinel SIEM will automatically detect any script change anomalies, helping you to discover anomalous script changes with malicious payloads in real-time and react immediately to prevent damage.

As LogSentinel’s script monitoring module only monitors the frontend, it can be used for any website, regardless of the technology.

Phishing Detection and Prevention

Connect LogSentinel SIEM to your exchange/email server and get instant notification and automated response to phishing attacks using sophisticated detection techniques.  


Honeypots are a beneficial cyber defence tool especially for fields working with high volumes of sensitive data such as credit card data. They are able to carry dangerous attacks and also allow you to analyze new types of security threats.

The LogSentinel SIEM Honeypot is a useful addition to our threat intelligence capabilities and allows for detecting early threats as well as collecting malicious actor behaviour data. By mimicking real servers, LogSentinel Honeypot collects data for potential attackers and helps companies prevent data breaches.

With LogSentinel SIEM you get a strong set of compliance features as well a great cybersecurity solution. With LogSentinel SIEM you can demonstrate compliance at reduced operational cost and minimal effort on audit, forensics and fraud detection.

Interested to hear how LogSentinel SIEM helps companies to protect cardholder data? Click the button below and book a demo with us today:


Like this article? Share it with your network!