PCI Updates Skimming Prevention Guide

Best Practices for Protecting Merchants from POS Attacks
PCI Updates Skimming Prevention Guide

At a time when retailers are seeing a surge in point-of-sale breaches, The PCI Security Standards Council has released an update to its guidance for merchants on protecting against card skimming attacks in POS environments.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

The report, Skimming Prevention: Best Practices for Merchants, was released during the council's North American Community Meeting on Sept. 10.

Card skimming continues to be a highly profitable for criminals, with the United States Secret Service estimating the cost to consumers and businesses at about $8 billion annually, the council notes. With advancements in payment technology and new skimming techniques, merchants are especially at risk, the council says.

The updated guidance addresses new attack scenarios, including data capture from malware and memory scrapers or compromised software; attacks that target mobile device weaknesses; attacks against EMV chip cards; and overlay attacks that take advantage of the advances in 3D printers.

"Skimming is highly profitable and appeals to a wide range of criminals because it allows them to capture massive amounts of data in a short amount of time, with low risk of detection," says Troy Leach, chief technology officer at the council. "Retailers and other organizations can use this guidance document to educate themselves on how to identify and prevent against this type of attack."

Best Practices

Updated security best practices outlined in the guidance is designed to help businesses:

  • Identify risks relating to skimming - both physical and logical based;
  • Evaluate and understand vulnerabilities inherent in the use of POS terminals and terminal infrastructures, and those associated with staff that have access to consumer payment devices;
  • Prevent or deter criminal attacks against POS terminals and terminal infrastructures;
  • Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack.

About the Author

Megan Goldschmidt

Megan Goldschmidt

Associate Editor

Goldschmidt is the former Associate Editor for ISMG. A recent graduate of Ithaca College, she has worked for multiple publications in NJ and NY, including the Trentonian and the Rochester Business Journal, instilling a passion for writing, editing and social media.




Around the Network