Stay safe: guard your payment cards this holiday season

Retailers are bracing for a booming holiday shopping season.¹ However, every online store faces some level of vulnerability to cyberattacks and data breaches. Additionally, consumers risk falling victim to fake websites created by cybercriminals, which can compromise payment card details as soon as they are entered. This week’s chart highlights and examines data on compromised payment card details — including card numbers, expiration dates, and CVVs — both globally and within the world’s top 10 economies.

Key insights

• The collected data reveals that a concerning total of approximately 5.7 million payment card data points have been compromised worldwide since 2004. This dataset includes card numbers, expiration dates, and card verification values (CVVs) — a three or four-digit number found on the back of most credit and debit cards. Notably, 28% of the compromised data is CVV security codes, which are crucial for verifying transactions. Their exposure poses considerable risks, as they can be used to authorize fraudulent transactions. Additionally, 33% of the dataset consists of payment card expiration dates. While not directly exploitable on their own, these dates can increase the risk of cybercrime when combined with other details.
• During high-spending occasions such as Black Friday, Cyber Monday, or the pre-Christmas period, when consumers worldwide are likely to engage more actively in online shopping, there is also a heightened potential for cybercrime. The top 10 largest global economies², where consumers may spend the most, exhibit varying rates of breached payment card details per 100,000 residents: United States (773), United Kingdom (248), Canada (225), Italy (197), Brazil (102), France (71), India (34), Germany (15), Japan (5), and China (1).
• Focusing on the world's top 10 economies², the US stands out as not only the largest economy but also the one experiencing the highest number of breached payment card details per 100,000 residents — 773 data points. Since 2004, over 2.6 million payment card data points have been compromised in the US, accounting for nearly half of the total global amount. Alarmingly, about one-third of these data points include CVV security codes, a critical component of card security.
• According to the latest FBI Internet Crime Report, nearly 14,000 complaints related to credit card/check fraud were received in the US in 2023 alone, resulting in approximately $174 million in losses. Over this decade, the US has registered over 71,000 complaints categorized as credit card/check fraud, leading to more than $740 million in losses. Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism (ACH. EFT, recurring charge, etc.) as a fraudulent source of funds in a transaction.³,⁴

Methodology and sources

Data breach statistics from around the world, occurring between January 2004 and September 2024, were examined. The data, which included payment card details, was collected by independent partners from publicly available databases and aggregated by email addresses. This information was then anonymized and provided to Surfshark’s researchers for statistical analysis. This study looks into compromised payment card details on a global scale as well as within the world's top 10 economies.

References: