A few times a year we will have customers that reach out to alert us that a credit card they used during a purchase at HolidayCoro was later used in a fraudulent manner.
This article explains the points at which credit card information can be stolen and what can be done about it. Typically there are two questions:
We will start with the methods that card information can be obtained as there are often many more places than most people realize. Note that this does not mean that any one specific method was used:
- My card was compromised and I want to let you know so you can fix the problem
- I want to know what you can do to resolve the fraudulent charge
- At the card issuer - typically this is either the bank (Chase, Bank of America, Bank of Omaha, etc).
- Access methods - During the physical production of the card or access to databases containing the card information
- Solution - None, bank card customers have no control over this process.
- During transit - via postal or other carrier.
- Solution - Carefully inspect any package or envelope that the card was sent in.
- During storage of the card - this can be someone with physical access to the card
- Solution - keep the card in a secure location when not in use
- During entry of the card number on a computer - this is believed to be the most common method of card number theft. Malware installed on a customers PC can filter for specific patterns and page content and then harvest this information and send it over the internet to a hacker controlled server.
- Solution - It is absolutely necessary to have installed an anti-virus / malware application. Additionally, browser "add-ins" or "search bars" can go undetected by many common anti-virus applications.
- During transmission of data (wireless connections only)
- Solution - Make sure to never use a "public wifi" connection when purchasing online. Even with SSL encryption, it is possible to intercept the data if the "man in the middle" has control over the network connection or with fake pages.
- During use or storage of the credit card information at Volusion
- Volusion is the company that HolidayCoro uses to run our e-commerce store. HolidayCoro has zero control over programming, code, API's, interfaces or any other programmatic function of the software. As such there is nothing HolidayCoro can do to secure a card as we can NEVER see card information other than the last four digits of the card.
- Volusion is PCI 2.0 certified - PCI certification is a requirement of the card issuers (Mastercard, Visa, etc). You can learn more about Volusion's certification here:
- During use or storage of the credit card information at Paypal
- HolidayCoro uses Paypal as our back end credit card processor, even if you do not use Paypal as your payment method
- You can read about Paypal's PCI compliance here:
- If the card has ever been used on a website other than HolidayCoro, than the number of exploitable points increases dramatic and it becomes even harder to determine the root cause of the exposure as each vendor and their processing network could be hacked.
As shown above, there are many methods cards can be compromised. That said, here is what we recommend:
- If your card issuer / bank has a smart phone app, we recommend downloading that. Often these applications will allow you to "decline" or "approve" purchases just made, purchases over a certain amount or from other countries
- Absolutely ensure that your computer does not have any malware or virses as this is the #1 source of stolen cards when used online
- Dispute any charges as soon as possible with your bank / issuer. Many allow their smart phone apps or online service to file disputes.