Why Your Saved Credit Card Is Less Safe Than You Think

Key Takeaways

• PCI-DSS compliance allows merchants to display BIN, last 4 digits, expiration date, and cardholder name
• Attackers can brute-force the missing 6 digits of a 16-digit card number in under a million attempts
• 3D Secure protections can be bypassed by finding merchants that don't enforce them

The Attack That Shouldn't Work

Metin Ozyildirim thought his virtual credit card was safe. It had spending limits. 3D Secure was enabled. He only saved it to well-known European merchants. Then attackers compromised his account on one of those merchants, and within six hours, they had drained his available balance.

The sequence is instructive. First, an SMS arrived showing a purchase attempt from the site where his card was saved. Ozyildirim reacted fast. He changed passwords, checked for unauthorized purchases, and reduced his card limits. He didn't disable the card entirely because, logically, it shouldn't have been compromised. The attackers only saw what the merchant interface displayed: a masked card number.

Six hours later, 3D Secure authentication requests started arriving from merchants he'd never used. All failed. But the attackers weren't done. They found a merchant that didn't require 3D Secure and made multiple small payments that drained his remaining limit. The money went to an e-wallet that allowed cash withdrawals at physical stores.

What PCI-DSS Actually Allows

The Payment Card Industry Data Security Standard (PCI-DSS) version 4 specifies what merchants can and cannot display when showing saved payment methods. The rules seem reasonable at first glance.

Merchants can display: the BIN (first 6 digits), the last 4 digits, the cardholder name, and the expiration date. They cannot display: the full card number, the CVV/CVC verification code, or PIN data.

Here's the problem. A credit card has 16 digits. If merchants show the first 6 and last 4, only 6 digits remain hidden. That's 1 million possible combinations at most. For an automated system, that's trivial to brute force.

The Math Behind the Vulnerability

Standard credit card numbers follow the Luhn algorithm for validation. This checksum reduces the effective search space further. An attacker who knows your BIN, last 4 digits, expiration date, and name has most of what they need. The missing 6 digits can be enumerated offline, with valid combinations checked against the Luhn algorithm before any online attempt.

The CVV remains unknown. But not all merchants require it. Some payment processors skip CVV verification for returning customers. Others have lax enforcement. The attackers in Ozyildirim's case found such merchants through trial and error. Those failed 3D Secure attempts? They were reconnaissance.

Compliance Versus Security

Ozyildirim's account highlights a systemic issue. PCI-DSS sets minimum requirements. Companies implement exactly those minimums to pass certification. When researchers point out that these minimums enable attacks, companies resist changes because they've already passed the compliance audit.

The certification process itself creates perverse incentives. Each additional security measure means more testing, more documentation, more potential audit findings. So companies stop at the bare minimum the standard requires.

The result: consumers assume their saved cards are protected by serious security controls. In reality, the visible data provides enough information for a determined attacker to reconstruct the full card number and shop around for merchants with weak verification.

What Attackers Learn From a Failed Purchase

The initial breach gave attackers access to the saved card view. When they attempted a purchase and saw the 3D Secure page, they cancelled. But that single attempt confirmed several things: the card was active, the bank name (visible on the 3D Secure page), and that 3D Secure was enabled for that merchant.

Armed with this information, they could reconstruct the likely full card number and hunt for merchants that either don't implement 3D Secure or have it configured as optional. The European payments landscape is fragmented enough that finding such merchants takes time but remains entirely possible.

The Cash-Out Pipeline

Ozyildirim notes that the final withdrawal went to an e-wallet service that allows cash pickup at retail stores. This is a well-designed laundering path. The fraudulent payments create store credit. The credit converts to cash. The cash disappears. Each step adds distance between the stolen card and the thief.

He got his money back through a chargeback. Most consumers in similar situations would too. But the existence of the vulnerability remains. The next victim might not notice the SMS alerts. The next attacker might move faster.

What You Can Actually Do

• Use virtual cards with tight limits for online shopping. When compromised, the blast radius is smaller.
• Enable transaction notifications for every purchase, not just those over a threshold.
• Don't assume 3D Secure protects you everywhere. Some merchants opt out or configure it as optional.
• Check which merchants have your card saved. Remove it from sites you no longer use.
• Consider cards that generate unique numbers per merchant. Some banks and services offer this.

None of these are perfect. The underlying vulnerability exists at the standard level, not the consumer level. But reducing exposure limits damage when, not if, a saved card gets targeted.

The Broader Problem

Credit card security relies on secrecy of data that's increasingly hard to keep secret. The 16-digit number, printed on the physical card, is the primary credential. The CVV, also printed on the card, is the secondary check. The expiration date is visible. The cardholder name is public information.

Every time you hand your card to a waiter, every receipt with partial card numbers, every saved payment method on every merchant site adds to the attack surface. The system was designed for a world where transactions happened in person and card data stayed on paper slips locked in a drawer.

We no longer live in that world. The standards haven't caught up.

Frequently Asked Questions

Can attackers really brute force credit card numbers?

Yes. With 10 digits visible (first 6 and last 4) and the Luhn checksum reducing valid combinations, the remaining 6 hidden digits represent under 1 million possibilities. Automated systems can enumerate these quickly.

Does 3D Secure protect against this attack?

Only if every merchant enforces it. Attackers in this case specifically searched for merchants without 3D Secure requirements. The protection is only as strong as the weakest merchant in the payment network.

Are virtual credit cards safer than physical ones?

Somewhat. Virtual cards with low limits reduce maximum exposure. Some services generate unique card numbers per merchant, which prevents cross-merchant attacks entirely.

Is PCI-DSS compliance enough to protect my card data?

PCI-DSS sets minimums that protect merchants from liability. These minimums don't prevent the brute-force reconstruction attack described here. Compliance and security are not the same thing.

What should I do if I receive unexpected 3D Secure SMS codes?

Immediately disable the card through your banking app, not just reduce limits. The SMS codes indicate someone is actively testing your card at different merchants.

Source: Hacker News: Best