What Happens to Stolen Credit Card Numbers?

News stories about credit card data breaches have struck fear in the hearts of millions of shoppers. Over the past couple of decades, hackers have invaded the computer systems of major retailers and made off with tens of millions of payment card numbers.

You may be familiar with the scramble to check your credit card accounts and credit reports for suspicious activity in the wake of such incidents. But many people aren't clear on what happens with the credit card numbers stolen in a data breach.

When your physical credit card is stolen, the thief will usually just try to use it. When hackers steal information on 20 million cards, it’s a different story.

» MORE: How to prevent credit card fraud

Buying in bulk

A stolen credit card number isn’t worth much on its own. The credit bureau Experian reported in 2017 that a credit card number could fetch maybe $5 if it came with the CVV number (the security code printed on the card). And tech website GigaOm has reported that a batch of a thousand numbers might sell for just $6.

That sounds low, especially considering the amount of hassle that goes into canceling your card and getting a new one. But you can’t do too much with a credit card number unless you also have the associated name and address of the cardholder. Even with that information, thieves may not get much. A package containing one person’s credit card number, address, date of birth, and Social Security number can sell for up to $30, Experian said.

So to make the effort worthwhile, information merchants buy and sell in bulk. They collect thousands or millions of numbers and head to the black market. At some websites, they can buy and sell the data using untraceable virtual currencies like Bitcoin. At these exchanges, the people who are good at stealing numbers hand them off to people who know what to do with them.

Spending like there’s no tomorrow

A credit card number can be sold and resold multiple times before someone actually tries to use it. Once the final buyer has the information in hand, he or she will use it to try to make purchases while evading your (or your bank’s) notice. Sometimes, criminals will print up plastic cards with the new number and use them at physical stores, but it's more likely they’ll make purchases online. It’s a race to charge as much to the card as possible before the bank freezes the account.

EMV chips don't solve the problem. EMV technology is great for preventing fraud using a physical credit card, but it doesn't prevent the online transactions that cybercriminals thrive on. That's why having the CVV is important — it makes the card easier to use online.

» MORE: How to spot and dispute fraudulent credit card charges

What determines the value of a card number?

The value of a stolen credit card number depends on many variables. If the number is packaged along with other identifying information that facilitates identity theft, like the victim’s name, address, Social Security number or mother’s maiden name, it’s worth much more.

High-limit premium credit card numbers are worth more, as are European numbers and numbers that are more recently stolen (and thus more likely to be valid). And if the thief can provide purchasing information that will help evade detection, he or she can charge extra. For example, if you make frequent trips to Las Vegas or shop regularly at Macy's, your card information could be used in those places to avoid triggering fraud-detection systems.

How can I protect myself?

Don't rely only on your bank to protect you from identity theft. Learn what you can do to prevent identity theft from occurring or to limit the damage from it. Keep an eye on your credit card statements for suspicious transactions and your credit report for accounts you don't recognize. Consider freezing your credit to prevent new accounts from being opened. And know your rights about your maximum liability in the cause of fraud.