Just How Much is That Data Worth?

Friday, September 7, 2012
posted by admin

PCI Compliance has become a much larger part of credit card processing these days and for good reason. Being compliant is now mandatory because of the increased risk a breach on your terminal/gateway/virtual terminal. Our PCI Compliance partner, JDS, recently wrote a great article about the dangers of non-compliance and what the hackers really want.

“On any given day, you’re likely to read about a data breach, whether it involves credit card data, personal data, or medical data. So far this year, several big-name companies, including Global Payments and Zappos, have made headlines when it was announced that credit card information had been breached. Just this week the FBI disputed a claim made by a group of hackers who claim to have stolen personal identification data on millions of Apple device owners from an FBI agent’s laptop.

All of this activity begs the question – just how much is the data worth? The answer depends on who stole it, and why. Some hackers do it simply because they can, it’s a cyber game. Others, known as “hacktivists,” target specific companies to prove that their security is inadequate. In both of these scenarios, financial gain is not the goal.

It’s the third type of hacker, the criminals who make their living by selling stolen credit card data, that present the greatest financial risk to merchants and cardholders.

According to Chester Wisniewski, a Senior Security Adviser at United Kingdom-based computer security firm Sophos, these criminals tend to make their money by selling data in bulk to other criminals, known as “carders” – defined as someone who buys, sells and trades stolen credit card data online.

Stolen credit card data commands different prices, depending on the amount and type of information the hacker has illegally obtained. “Each piece of information stolen in a breach has a different value,” says John Harrison, Group Product Manager for endpoint threat protection, security technology and response at Symantec, based in Mountain View, Calif.

A 2008 Symantec study found account numbers paired with expiration dates and card verification values were sold for anywhere from $.50 to $12.00, with packages ranging in size from five to 500 accounts. By comparison, card data without the expiration dates and card verification values were sold for approximately $.10 per piece. Pricing also varies depending on how soon a card will expire, and whether there is other personally identifiable information available for the card.

At these rates, it’s easy to see why hackers target companies the size of Global Payments and Zappos. Clearly, it’s a volume based “business”.

More often than not, the real money is made by the carders who purchase the stolen credit card data. The cards are used to purchase high-ticket items, which are then sold on online auction sites, generating virtually 100% profit to the carder. In the end, it’s impossible to say just how much that data is worth.”

Leave a Reply

You must be logged in to post a comment.