6 Ways Hackers Can Steal Your Customers’ Credit Card Data

“Security” Is Relative

Mobile phone payment
© Depositphotos – Sinisa Botas
Here’s a harsh truth about digital payments: if your small business accepts credit cards, then you’re at risk of a credit card data hack. No matter how cautious you are, or how current your technology is, there is no 100% secure system for credit card processing. This is a fact of life that merchants must confront in an increasingly digital marketplace. Credit cards offer convenience and encourage customers to spend more, but the threat of fraud or a data breach looms over every single transaction.

Some products, however, are more vulnerable than others. And while you can’t possibly defend against every hacker’s assault on your point of sale system, there are a handful of common vulnerabilities that you can protect yourself from by taking some simple preventative measures. Below, we’ve gathered six of the most common hacking methods that fraudsters use to steal credit card data. We’ve also listed some basic steps you can take to insulate your credit card processing software and hardware from these types of attacks. By learning about and planning for these hacking methods, you can protect your customers’ credit card information from most general breaches.

1. Installing malware on an internet-enabled device connected to your POS system

The internet’s an invaluable tool for business owners. It makes e-commerce possible, it opens up entirely new advertising channels, and it is the central component of cloud-based business services. But the internet is also the most likely source of malicious viruses and scams waiting to worm into your business. If you use a virtual terminal on your desktop computer, payment processing software on your iPad, or any other point-of-sale hardware that connects to the internet, then you have an access point through which a hacker can infiltrate your payment environment. The most common method used by scammers is to deceive merchants or their employees into clicking a link that downloads malware onto their computer. From there, they can access the payment information that passes through that computer’s local network.

What you can do to prevent it:

  • Restrict internet access on POS-connected devices. No casual browsing should be conducted on these devices, including the sending or receiving of e-mail.
  • Install firewall and anti-virus software and run it regularly. This is a good practice for any internet-enabled device at your business, but it’s especially necessary for devices that handle sensitive customer data.
  • Provide proper training on responsible web browsing. You may feel like you know how to avoid viruses online, but don’t assume the same about anyone else who has access to the device. Make it clear that internet-connected devices come with a higher burden of responsible conduct, and encourage people to inform you if they accidentally encounter something suspicious in the system.

2. Taking advantage of weak passwords and single-factor authentication

Everyone’s heard this advice by now, but it bears repeating: use a strong password. If you use a password like “1234”, “0000,” your business’s name, or your name, then you might as well not even have a password. In addition, many point-of-sale products are installed by the provider with default passwords already set up. These default passwords make it easy to demo the product or train installers, but they are incredibly easy for hackers to get a hold of.

What you can do to prevent it:

  • Create a strong password and change it frequently. There are plenty of apps that will randomly generate complex passwords for you and store them for later access.
  • Enable multi-factor authentication. Multi-factor authentication is a fancy term that refers to requiring the user to use multiple forms of verification when logging in. For instance, you might have to enter a username and password as well as a code that is texted to your phone number.
  • Try not to share usernames. Managing a dozen different user accounts for your employees can be a hassle, but giving your employees access to a shared master account is a recipe for a data breach.

3. Targeting known vulnerabilities in outdated software

Even the best payment processing software has chinks in its armor, which is why most reputable providers offer ongoing patches and software updates to counter potential or reported threats. Merchants, on the other hand, are notorious for failing to update their software in a timely fashion. Some even refuse to accept updates out of a concern that the updated version will require retraining or will be incompatible with older hardware. The longer a piece of software has been in use, and the more widely it is used, the higher the probability that hackers have identified ways to exploit it.

What you can do to prevent it:

  • Set your software to automatically update itself. Some POS providers are starting to require merchants to accept automatic updates, but you will likely have to enable this feature yourself.
  • Ensure that the software on your conventional computers has the latest security patches installed at all times and consider upgrading your operating system once you fall two or three cycles behind. As discussed above, any device that uses the same internet connection as your POS system opens a door into that POS system.
  • Take any reported vulnerabilities seriously. Whether you hear it from the news, from another merchant, or (preferably) from your POS provider, act quickly to insulate your system from breaches as soon as you learn about them.

4. Using remote access scams

“Remote access” refers to a method by which someone at an off-site computer connects to your computer’s network and accesses your devices as though that person were on site. Remote access can be a useful tool for customer service representatives in the event that a merchant is unable to correctly diagnose a technical issue. However, it is also a very easy way for scammers to gain total access to your system. Most hackers will either pose as customer service representatives and contact you to provide “assistance,” or they will obtain access to other merchants served by your provider and use their login information to access your computer.

What you can do to prevent it:

  • Do not enable remote access unless it’s the absolute last resort. Remote access can be used in extremely rare cases if your POS provider requires it, but it should not be necessary for remote access to be always active.
  • Demand that your provider issues you a unique username and password for remote access sessions. That way, if another merchant’s remote access information is compromised, yours won’t be.
  • Verify the identity of anyone you allow to remotely access your computer. Make sure you contacted your provider to initiate the session, and get the name and contact information of the specific representative you work with.

5. Selling compromised hardware

The cost of point-of-sale hardware is sometimes higher than merchants expect for such a simple device. On top of that, a large number of unscrupulous providers have made it standard policy to dupe merchants into signing four-year, non-cancellable equipment leases that eventually cost up to ten times the retail price of the hardware. It’s no surprise, then, that merchants will occasionally turn to the secondhand market to find refurbished or gently used machines for purchase. Unfortunately, it’s possible for hackers to preload these devices with malicious software that relays every transaction’s details directly to them. The machine will appear to be perfectly functional even though it is sending off your customers’ data with every swipe.

What you can do to prevent it:

  • Whenever possible, try to purchase brand new point-of-sale equipment directly from the manufacturer. A quality EMV terminal can usually be purchased for less than $300, although higher-end models may cost more.
  • Do not buy used equipment from unvetted sellers. Even the business’s former owner or a friend of yours could pass along compromised equipment without knowing it. Stick to the hardware suppliers themselves (for refurbished goods) or third-party vendors recommended to you by your provider.
  • Send back any equipment that seems to have been tampered with. If you terminal behaves erratically or has visible signs of modification, don’t hesitate to return it and ask for a functional unit.

6. “Skimming” card data directly from the hardware

The simplest and boldest way for a hacker to steal your data is to directly install a “skimmer” on your point-of-sale hardware. A skimmer is a small device that attaches directly to a credit card terminal or other point-of-sale product and collects all of the card data that is swiped through it. The hacker can then return to the location after a business day, collect the skimmer, and pull all of the relevant information from it with ease. A skimmer must be physically installed on a device in order to work, so it is most viable for types of hardware that aren’t closely monitored such as ATMs or self-checkout stations.

What you can do to prevent it:

  • Maintain tight security in areas containing payment equipment. If your employees have to hand the device to customers during the checkout process, train your employees to keep an eye on how the equipment is handled.
  • Occasionally examine devices for unexpected alterations. The areas to check are the magnetic stripe reader channel, the EMV chip insertion slot, and any jacks or inputs that should normally be empty.
  • Consider security cameras near self-service areas. Scammers may be less likely to tamper with machines if the entire act is visible on camera.


Even One Layer Of Security Could Be Enough

In general, hackers typically cast a large net of potential victims and then whittle down their targets depending on how much money they think they can steal or how easy the theft will be. If you’re a small business owner, then you’re already less desirable than a corporation like Target or a Home Depot. And as long as you take basic security measures to avoid these common scams, you’ll be a harder target than a completely unsecured system. In that way, credit card security isn’t too different from home security. Your house doesn’t have to be impossible to break into. It just has to be harder to break into than every other house on your block.

Reader Comments

Tell Us What You Think

1 User Reviews

Tell Us How They Treated You

Sharing your experience influences our rating and helps other business owners make informed decisions. Please take a moment to tell us if they are serving you well. Your email address will never be published, shared or sold. We only use it to authenticate that you are a real person and, if you select the option for it, to let you know if someone replies to your comment. Required fields are marked *

Comments must contain details about your experience. Please do not use ALL CAPS. Self-promotion, marketing content, or contact information of any kind will not be published. By submitting a comment, you are agreeing to our Comment Policy


Copyright © 2024 CardPaymentOptions.com, Inc. (Digital Fingerprint: 0d38c6720f0d78a701b74d58653af608). Getting paid to re-write this page? Click here to earn a reward.

Any unauthorized copying and reproduction of the content of this page, including all meta data and computer code, is strictly prohibited. While the information in the above article is believed to be accurate as of its publish date, the author and publisher make no representation or warranties with respect to the accuracy, applicability, fitness, or completeness of the contents. The author and publisher shall in no event be held liable to any party for any direct, indirect, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of this material, which is provided “as is,” and without warranties. Any and all use of trade names and/or marks are for identification purposes only and shall not be construed as a claim of affiliation, or otherwise, with CardPaymentOptions.com, Inc. ("CPO") in any form. The sole purpose of the material presented herein is to alert, educate, and inform readers. It is not intended as legal or financial advice. We may earn revenue if you obtain services from a provider that we recommend. See this page to learn how we support our operations.