Does Expired Card Destruction Really Matter?

An expired credit card isn’t just a useless piece of plastic. It might be rejected when you try to pay for lunch, but it still contains sensitive data—which means that your business’s expired card could have value for data thieves. Card destruction is a necessary security measure to prevent a devastating case of credit card fraud.

Business owners are all too familiar with the realities of credit card fraud. The cardholder rarely has to pay for unauthorized charges made with a stolen card, but the merchant who accepted the payment will often lose money in chargeback fees. So experienced business owners know to be vigilant about credit card fraud as it relates to accepting payments. They may not be as vigilant about preventing fraud involving their own corporate payment cards, even once those cards are expired. No one can afford to be lax about card destruction

Why Card Destruction Matters

Credit card companies introduced expiration dates as a security measure, and they’re generally effective—but expired cards can still be valuable to fraudsters, for two primary reasons. 

First, while expired cards can rarely be used to make purchases, it’s not impossible for a transaction to be approved with an expired card. (The issuer will generally deactivate the card after the expiration date, and online merchants should also reject expired cards—but human error and technical problems are always possible.) Someone who gets their hands on a business’s expired card might not want to risk running the card at a brick-and-mortar store, where it will likely be rejected. Online sales are easier to attempt; thieves can try using expired cards over and over with different sites. 

Second, if the expired card has been replaced with a new card, the new card will often use the same number as the expired card. That number can be an incredibly useful piece of information for card thieves. They may even be able to guess the new card’s expiration date based on when the old card expired. Those two pieces of information may be enough for certain online sales to go through. Most online purchases will require a card’s three-digit CVV code, but researchers have found that it’s possible to use computer programs to get around this requirement. And scammers’ technology advances quickly, so there’s no telling what they’ll be able to do with just a credit card number in the future. 

Card Destruction Best Practices

Because the card number itself can be valuable, simply cutting through the magnetic strip on a payment card isn’t a suitable method of card destruction. Neither is cutting a card into a few pieces and then tossing them into the same garbage can. Motivated identity thieves may still be able to recover the card and piece together the number—and there are people who are in fact motivated enough to do just that. Data destruction best practices call for cards to be shredded when you’re done with them. 

Credit card fraud was already a problem on a massive scale, but experts say that fraud is exploding because of the pandemic. An increase in contactless shopping has made it easier than ever for thieves to steal credit card information online. But it’s not all shadowy hackers who commit credit card fraud. Financial desperation can also trigger people to do things they wouldn’t otherwise do—like stealing from their employer. 

Unfortunately, internal fraud is a real possibility for businesses of all kinds. It can happen even to small business owners who trust their employees. Sometimes, internal fraud isn’t perpetrated by an employee but by someone who gets access to their workspace. Maybe someone visits their family member at work and pockets a company card that was left on their desk, or a delivery person steals a card when no one’s looking.  

Permanent card destruction is always the best choice for disposing of expired cards. Shredding payment cards is the only way to really destroy the information stored in and on the cards. To control how many people can access financial information like company credit card numbers, businesses can use locked bins to collect sensitive files and expired cards until they can be shredded. If any employees have their own corporate credit cards, make sure your data destruction policy includes language clarifying that expired cards must be turned in for destruction. 

Northeast Data Destruction provides all the shredding services businesses need, from shredding expired cards to off-spec products. We’re here to help your business protect its sensitive data. What questions do you have about card destruction and shredding services? Contact me today!