PCI Updates Skimming Prevention Guide
Best Practices for Protecting Merchants from POS AttacksAt a time when retailers are seeing a surge in point-of-sale breaches, The PCI Security Standards Council has released an update to its guidance for merchants on protecting against card skimming attacks in POS environments.
See Also: Digital Currency Exchange Fraud: Detect and Block Use of Stolen Identity Credentials
The report, Skimming Prevention: Best Practices for Merchants, was released during the council's North American Community Meeting on Sept. 10.
Card skimming continues to be a highly profitable for criminals, with the United States Secret Service estimating the cost to consumers and businesses at about $8 billion annually, the council notes. With advancements in payment technology and new skimming techniques, merchants are especially at risk, the council says.
The updated guidance addresses new attack scenarios, including data capture from malware and memory scrapers or compromised software; attacks that target mobile device weaknesses; attacks against EMV chip cards; and overlay attacks that take advantage of the advances in 3D printers.
"Skimming is highly profitable and appeals to a wide range of criminals because it allows them to capture massive amounts of data in a short amount of time, with low risk of detection," says Troy Leach, chief technology officer at the council. "Retailers and other organizations can use this guidance document to educate themselves on how to identify and prevent against this type of attack."
Best Practices
Updated security best practices outlined in the guidance is designed to help businesses:
- Identify risks relating to skimming - both physical and logical based;
- Evaluate and understand vulnerabilities inherent in the use of POS terminals and terminal infrastructures, and those associated with staff that have access to consumer payment devices;
- Prevent or deter criminal attacks against POS terminals and terminal infrastructures;
- Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack.