ShadowMap

Appearance

Credit Card Leaks

ShadowMap monitors dark web marketplaces, carder forums, and breach dumps for payment card data associated with your organization. The presence of your customers' or employees' payment card information on the dark web may indicate a breach of your payment systems, a skimming attack, or a compromise at a third-party payment processor.

Overview

Credit Card Leaks

What You See

Each leaked card is displayed as a visual card showing:

FieldDescription
Card NetworkPayment network logo (Visa, Mastercard, American Express, Discover, etc.)
Cardholder NameName on the card
Card NumberMasked or partial card number as found in the dark web source
Expiry DateCard expiration date
Breached OnWhen the card data was posted or traded on the dark web (displayed as relative time)
ActionsComment, share via integration, and workflow status

Filters

  • Search -- Filter by cardholder name, card number, or other keywords
  • Card Network -- Filter by payment network (Visa, Mastercard, etc.) with counts per network
  • Date range -- Filter by breach date
  • Export -- Download filtered results in CSV format

Why This Matters

Credit card leaks on the dark web indicate one or more of the following:

  • Payment system breach -- Your payment processing infrastructure may have been compromised, exposing card data at the point of transaction
  • Web skimming (Magecart) -- Malicious JavaScript injected into your payment pages captures card details in real-time and exfiltrates them to attacker infrastructure
  • Third-party processor compromise -- A payment processor, gateway, or point-of-sale vendor handling your transactions was breached
  • Physical skimming -- If you operate physical terminals, skimming devices may have been installed on card readers
  • Employee card exposure -- Corporate credit cards used by employees may have been captured through stealer malware or phishing

PCI DSS Implications

Payment card data exposure triggers PCI DSS compliance requirements:

  • Incident reporting -- PCI DSS Requirement 12.10 mandates an incident response plan that includes notification to payment brands and acquiring banks
  • Forensic investigation -- Your acquiring bank may require a PCI Forensic Investigator (PFI) to determine the source and scope of the compromise
  • Compliance reassessment -- A confirmed card data breach may trigger a reassessment of your PCI DSS compliance status
  • Notification obligations -- Card brands (Visa, Mastercard) have their own notification requirements and may issue fines for non-compliance

Immediate Response

  1. Investigate the source -- Determine whether the card data originated from your systems or a third party. Cross-reference the breach dates with your transaction logs.
  2. Notify your payment processor and acquiring bank. They need to know about potential card compromise to initiate their own response procedures.
  3. Check for web skimmers -- Audit your payment pages for unauthorized JavaScript. Look for injected scripts, modified checkout flows, or exfiltration to unknown domains.
  4. Review PCI DSS compliance status -- Ensure your current compliance measures are functioning and document the incident.

Follow-Up

  1. Monitor for additional leaks -- A single discovery often precedes more. Configure SLA policies for credit card leak findings.
  2. Engage your forensics team -- If the data appears to originate from your systems, conduct a full forensic investigation to identify the breach point.
  3. Notify affected cardholders if required by your jurisdiction and the card brands' rules.
  4. Review third-party vendors -- If the compromise originated at a vendor, assess their security posture and contractual obligations.

Bulk Actions

Select multiple card entries to:

  • Mark as Actioned -- Record that your team has investigated and responded
  • Mark as Online -- Revert findings back to active status
  • Share via Integration -- Push selected findings to connected tools

ShadowMap by Security Brigade

Copyright 2024-present Security Brigade