39

I was recently the victim of credit card fraud and I suspect it is from a merchant somewhere keeping track of my credit card details.

I cancelled the card and received a new one, but I would like to make it as difficult as possible for criminals in brick-and-mortar stores to copy my card details.

What parts of the credit card can I save to a password vault and obscure by scratching over/off and still have it be valid?

Ellie Kesselman
  • 488
  • 4
  • 20
8bitme
  • 493
  • 1
  • 4
  • 6
  • 8
    I had a very similar experience a few years ago. My takeaway was that I will not use my credit card any place where they have to record my details because their "card reader is broken" or anything else like that. At this point if I can't use the chip on the card then I won't shop there. I also highly prefer places I can use Apple Pay (any alternative service like PayPal is also a benefit). – Todd Wilcox Feb 18 '18 at 00:38
  • 22
    I adopt a contrary position: I assume that theft, or information-leakage, of my credit-card information is inevitable and will simply cancel my card as soon as I see unauthorized activity. The charge will never hit my bank account anyway, it's the CC company's problem, not mine. Of course this doesn't work as well for debit-cards, but there are very few reasons to use a debit-card over a credit-card. – Dai Feb 18 '18 at 02:16
  • 11
    Look into [Virtual Credit Cards](https://www.creditkarma.com/credit-cards/i/virtual-credit-card/). You can create a throwaway number with a transaction limit and time limit for dealing with an unknown vendor/merchant, you can also set a limit of recurring billings. Don't expose your real CC: number to untrusted people/merchants. – smci Feb 19 '18 at 00:50
  • 1
    @TheD you should make that an answer (especially since that's what I do). – RonJohn Feb 19 '18 at 16:30
  • The other day I saw a credit card that had just a magnetic strip and nothing else. The reason for its assistance was the strip on the primary card had been damaged so a second card was made. (The primary's chip still worked and it was cheaper to make one w/o a chip.) – Joshua Feb 19 '18 at 20:15
  • I don't know about where you live, but here in Italy most people do not have CC's but use prepaid cards (usually Mastercard) instead. They can ben enabled/disabled via web banking or a mobile app, so you can activate them only when you want to pay something. – Andrea Lazzarotto Feb 19 '18 at 20:43
  • Credit cards are practically a disposable commodity now-a-days. Get yourself two cards; one in storage and one for everyday use. When the everyday use one is compromised (watch your statements like a hawk) then get the bank to issue a new one and use the storage card in the meantime. A few years back there was a [huge breach at Target](http://techland.time.com/2013/12/19/the-target-credit-card-breach-what-you-should-know/) and there is literally nothing that **you** as a person could have done to avoid being affected unless you were simply not a Target shopper. – MonkeyZeus Feb 20 '18 at 13:47

6 Answers6

66

If you deface a credit card, you are likely to find it will be rejected for all transactions. The merchant really needs all the info on the card to be valid - it's part of how they protect themselves from fraud.

So my answer would be: none!

Instead of worrying about that, concern yourself more with how the merchants handle your card. In the UK, for example, a customer never needs to let go of the card in most stores now, as contactless is almost ubiquitous. But if you have to hand over your card, watch it like a hawk. Handheld terminals brought to you are safer than letting someone take your card away.

And remember, if the merchant commits fraud, your bank will reimburse you so it's not the end of the world.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/73469/discussion-on-answer-by-rory-alsop-which-parts-of-a-credit-card-can-i-obfuscate). – Rory Alsop Feb 21 '18 at 10:02
52

I put a small sticker over the CVV to avoid it being casually seen. The CVV is the three-digit code on the back of the card beside the signature, needed when you buy things on the Internet but not otherwise. A merchant who takes your card and checks the signature can easily remember the three digits, and I think this was what happened the one time my credit card details were abused.

Not having the CVV visible doesn't prevent normal operations, and I can remember it easily. I chose not to scratch it out since it is actually etched into the card, and scratching it to the point of illegibility would have noticeably damaged the card. The sticker would be easy to scratch off if I ever needed to. Nobody has ever asked me to... but I have a European card, I use chip-n-pin, I cannot remember anyone ever looking at the back of the card since the incident where I think my details were stolen.

Law29
  • 721
  • 1
  • 5
  • 10
  • 1
    This is the one thing that seems feasible to do to a card that's both reversible, not likely to have your card seen as fraudulent, and feasible to do for in-person transactions. Of course, you still need to know the number for online/phone transactions, but it can be stored elsewhere. – Bobson Feb 18 '18 at 00:34
  • In Australia at least, you need to tell the operator your CVV when making over-the-phone payments as well. So it's not specific to the internet... – Shadow Feb 18 '18 at 22:32
  • 1
    One thing to note though, CVV is not necessarily required for online purchases, it's the merchant who chooses whether to request CVV as an additional security measure or not (Amazon, for instance, only needs your card number, name and expiration date). – Dmitrii Erokhin Feb 19 '18 at 08:54
  • 3
    I always scratch the CVV on my cards. I find it pretty easy to make it unreadable without damaging the card. Since it is required pretty much everywhere, I think it significantly reduces the likelyhood of fraudulent use. (From previous comment, Amazon doesn't require it, which is a significant hole in this assertion...) – Jérôme Feb 19 '18 at 10:55
  • 1
    FWIW, I had first-hand experience with scratching CVV off several cards, in all cases I had to scratch them really deep to remove all traces of carving, but that did not damage the cards (they were functioning correctly in all places I needed). But if it just looks bad after scratching, one can _also_ put on some tape _afterwards._ – Display Name Feb 19 '18 at 18:47
  • Thanks for the confirmation @SargeBorsch! In comparison to a sticker, physically scratching off the CVV is only useful when the card is stolen, but once the card stolen, having the CVV leaves more options for the thief. I'm not going to recommend damaging the card, but I *will* admit I was going to do so until I saw how deeply the number was etched in. – Law29 Feb 19 '18 at 21:15
8

The better answer is to use Virtual Credit Cards. You can create a throwaway number with a transaction limit and time limit for dealing with each unknown vendor/merchant, you can also set an amount limit on recurring billings. Check what virtual CC setup either your CC vendor (Mastercard, Visa) or issuing bank (BoA, Citi) has. Check the amount of time to setup each VCC number, the ease of setup (website/app?), the minimum time it can be alive for.

Don't expose your real CC number and CSC to untrusted people/merchants. That's a more scalable solution than exposing it. Even now that the US is belatedly moving to smartchip technology, decades behind other countries.

smci
  • 203
  • 1
  • 7
  • 1
    Discover used to have VCCs, but sadly, they did away with them some time back. – Michael Feb 19 '18 at 17:52
  • 1
    VCCs are just a number for online use though, this doesn't apply to in-person transactions like the question is about. – Kevin Feb 20 '18 at 16:31
  • @Kevin: yes, but the title didn't say "card-present transactions" or "in-person" or "brick-and-mortar store". This does answer the general question in the title. – smci Feb 20 '18 at 23:30
6

The way you phrase your question seems to indicate that you think it's a bad apple at a merchant who is stealing your credit card, namely by using a manual method of writing down card details. Let me tell you, that that is extremely unlikely. All of your card's basic information (name, account number, etc.) is embedded within chip data, as well as in the mag-stripe. I can tell with you very near certainty that your old credit card information was stolen electronically, probably through a merchant with a compromised system.

There is literally nothing you can do to protect against electronic theft (when you use it as a card-present transaction) other than use more modernized encrypted transactions (e.g. chip), or tokenized transactions (Apple Pay, Samsung Pay, Google Wallet). If you're really paranoid about it (you don't really need to be), you can just use cash if the store doesn't accept EMV chip or tokenized.

Additionally, like others have stated, physically defacing your card is not only flatly ineffective against protecting you from 99% of modern card information theft (i.e. electronic theft), but it's also a huge red-flag for anyone that would physically handle it. They are instead likely to suspect that it is you who is a fraudster, trying to pass a counterfeit card off as a real on, as in this over-simplified scenario:

You: "Oh, you can just disregard the name on the card... it just wore off."
Them: "Uhuh... That doesn't happen. Give me a fully legible card, and a matching ID, or your sale is denied."

Cayla
  • 61
  • 1
  • i was at a bar once, and while bored i was picking at the plastic front layer on the card. The whole thing peeled off and i found the name/number wasn't embossed at all, so i now had a blank faced card now. They wouldn't accept the card for the next transaction even though they stood there and saw me peel the front off it. – Sirex Feb 19 '18 at 21:58
4

Yor credit card has the card number, expiration date, cardholder name, and possibly an additional short security code that you could conceivably remove from the physical card and store in a password safe.

But all of these (except, I think, the additional security code) are needed by the merchant. So you can't tamper with any of them.

Besides, the merchant checks those, along with your signature, a hologram if present, whether the magnetic stripe is intact, whether the card chip looks tampered with, etc to determine if the card is a fake. In fact, credit card companies instruct merchants to consider any sign of tampering with the card as suspicious. Google "spot fake credit card" and you get relevant best practice documents.

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • 7
    Actually, the merchant checks to see if the stripe/chip was successfully read. They're *supposed* to check the rest, but they never do. – Mark Feb 17 '18 at 20:47
  • Yes, I haven't ever seen anyone check the hologram on the card, for example. That's the one thing that requires more than a casual look. But I bet that if I, say, punched a small hole into the card near the card chip, or burned the CVV code off, merchants would notice and wonder... – Out of Band Feb 18 '18 at 11:52
0

Which parts of a credit card can I obfuscate and still have it be valid?

You can obfuscate all of it if you use Samsung Pay (No scratching necessary, in fact, scratching your card is a bad idea. Do not scratch anything).

Note, I did not say Apple Pay (like another answer did), I said Samsung Pay. Skip to my 4th point if you want to see how Samsung Pay specifically differs from Apple Pay.

  1. You enter your credit card information into your phone

  2. When you need to make a payment, you trigger Samsung Pay and you authenticate by using a PIN or your fingerprint.

  3. The phone generates a unique credit card number for each transaction.

  4. Important part: Samsung Pay is also backward-compatible. So even if the payment terminal doesn't accept mobile NFC payments, you can just tap the back of your phone to where the magnetic reader is and your phone will mimic the magnetic strip of the unique credit card it generated (this will work on all US terminals that have their magnetic readers on the edge of its machine and not embedded deeply within the machine itself).

  5. If it's a pre-authorization, it initially shows up as a $1 amount with the bank, which will later morph into whatever amount the establishment decides to finally charge you. If they make you fill out a paper form in addition to the electronic pre-authorization, you only put the last four digits of the generated credit card number on the form, along with asterisks in front of it. And if they want to check the authenticity of your signature, you present your phone (or your watch to them) so they can compare signatures.

If this answer looks a little bit familiar, it's because it's self-plagiarized and modified from an answer I wrote to a question on traveling in the US for work using a government credit card.

Stephan Branczyk
  • 177
  • 6
  • MST doesn't work at every terminal (even though you'd think it would). – Kenneth K. Feb 18 '18 at 22:19
  • @KennethK., Can you name a place? You're talking about the US? I've already mentioned the fact that it didn't work with an **embedded** magnetic reader. If MST is embedded, you use NFC. Also, I'm not sure why my answer was voted down. The three main drawbacks for me are that it doesn't work with recurring payments, it doesn't work for one-time online shopping (because it doesn't show you all the digits of the one-time generated credit card), and the fact that I'll often forget to wear (or recharge) my watch (as my Sony phone can't do Samsung Pay without my Samsung Gear S3 watch). (continued) – Stephan Branczyk Feb 18 '18 at 23:26
  • I didn't downvote, but I've personally been unsuccessful at WalMart (Ingenico reader) and Redbox. Both are swipe (i.e. MST tech), not NFC. Although, in thinking about it just now, it might be that I have my bank card in there, and it's trying to pick it up as a debit card (which obviously won't work). – Kenneth K. Feb 18 '18 at 23:29
  • @KennethK. For Ingenico, take a look at this thread. https://us.community.samsung.com/t5/Galaxy-S-Phones/Samsung-Pay-and-Ingenico-POS/td-p/106289 For RedBox, if you return a movie three months late, they'll want to charge you recurring late fees, so a one-time-only-use generated credit card number would only defeat such a policy. I'm probably misunderstanding your comment regarding debit, but Samsung Pay can work with debit cards (as long as you enter your ATM pin), I've used it successfully as a debit card to get cash back at non-NFC terminals and to access NFC-enabled Bank of America ATMs. – Stephan Branczyk Feb 19 '18 at 00:06
  • And to continue my initial first comment, I just wanted to say. I might not use Samsung Pay everywhere, mostly as I said because I'll forget to wear my watch sometimes, but when that's the case, I just use a physical card instead. For me, reducing the number of businesses that have my credit card number, or just reducing the number of times that my main credit card number/debit card information could be intercepted gives me additional peace of mind (but I also have no illusion, I am aware that those original numbers will eventually get intercepted/leaked by those fewer remaining businesses). – Stephan Branczyk Feb 19 '18 at 00:33