Stay informed about cyber awareness training topics and mitigate risk in your organisation.

5 Ways Employees Can Safeguard Cardholder Data


about the author

You, as a user, are the most crucial form of defence when it comes to protecting your organisation and its customers against fraudsters. A company will face countless attacks from criminals who are attempting to steal sought after cardholder data and use it for fraudulent purposes.

Ensuring that you remain vigilant and act as the ‘human firewall’ remains the best form of defence against these fraudsters. By following the top tips outlined you can help safeguard your organisation and customers’ sensitive data.

There are many risks associated with card-not-present transactions as the customer and their card are not present when the transaction takes place. This is a risk as it’s difficult to physically verify the customer at the time of the transaction. When processing card-not-present transactions you must always obtain the card number, the expiry date as well as the card security code. It’s also important to obtain the cardholder’s full name, address and phone number.

It is crucial to remember that you should never store the full contents of any cards magnetic stripe or chip. Sensitive authentication data must not be stored such as card validation code, value code, and personal identification number (PIN) or any PIN blocks.

Fraudsters will use ‘counterfeit cards’ for card-not-present transactions so it is essential to question any sequential cards numbers (for example, 1234567) and any transactions made from cards issued overseas. It is also good practice to make a list of possible problem names, addresses and IP addresses. These red flags can be used by you and your colleagues to highlight any concerns that you may have to your manager.


Social engineering, quite simply, is the art of manipulating people in order to get them to provide confidential information. It can take many forms, but all types of social engineering are designed to trick you into trusting someone enough that you give out the information that they seek.

A fraudster may phone you and imitate someone in a position of authority or impersonate a customer to gain information that they want. Fraudsters could also use phone social engineering as a method to retrieve passwords, usernames and even cardholder data.

If you deal with cardholder data, you must be vigilant when dealing with phone calls and care should be taken to verify the customer. If you are taking payments over the phone, be careful that you don’t leave yourself vulnerable to social engineering. One method of validating an individual’s identity is hanging up and returning their call on a number that is stored on your company’s system. Don’t phone them back on any number provided by the individual during the call, or on the number they are calling from.


Email is not considered a secure method for sending or receiving sensitive information and as a result, customer information should never be sent by email. If a customer sends you their card data by email then you must delete it immediately without processing it. You should inform your manager of your concerns verbally, but do not forward these details to your manager or any other member of staff via email.

Downloads and updates

Malware and viruses can be downloaded via email and other online activity. PCI DSS (Payment Card Industry Data Security Standard) requires all companies who handle cardholder data to use an anti-virus software on any system that processes cardholder data. This requirement aims to limit the risk factor of processing card holder data.

It is crucial that your organisation always keep their antivirus software updated.


The use of fax machines for the sending and receiving of cardholder data is not considered a secure method. If a business unit must use a fax machine then you must:

  • Always use a single purpose Analog fax machine. Multi-function machines cannot be used as they often will store all of the data that has been processed.
  • Destroy any electronic copies immediately and destroy any physical copies once they are no longer necessary for businesses purposes.
  • Fax machines must not be placed in publicly accessible areas and incoming faxes must not accessible by unauthorised users.

Clear desk

Clear desk is the best policy to safeguard all sensitive and confidential information. It helps reduce the risk of a security breach in the workplace. A clear desk policy will ensure that all confidential information will be removed or locked away while the items are not in use or are away from their desk.

And remember: always remember to Ctrl+Alt+Delete when you leave your seat!


If your organisation needs help in educating users about fraud and the importance of handling cardholder data, request a demo of our eLearning courses on PCI DSS and Data Handling.

you might enjoy reading these