Strategies to Strike Back at SkimmingPCI Council Offers New Resource to Fight Fraud Skimming - point-of-sale attacks at ATMs and sales terminals -- hurts everyone, including banks, retailers and their customers. And the PCI Security Standards Council is fighting the crime with a new set of best practices for skimming prevention.
This resource will help educate merchants and financial institutions regarding security best practices that defend against credit card skimming attacks, says Bob Russo, PCI Security Standards Council General Manager.
"The guidelines include recommendations for protecting merchant terminals based on established countermeasures identified by the merchant community - physical location and security; terminal and terminal infrastructure security; and staff and service access to payment devices," Russo says. "[This is] something that all acquirers will be pointing their small merchants to use."
The resource was developed by the PCI Security Standards Council's Pin Entry Device (PED) Working Group, with input from law enforcement and industry experts closest to credit card skimming threats. The suggested guidelines help to:
In addition to guidance on areas of vulnerability to address, the resource has photos of confiscated skimming equipment to help identify when a skimmer has been installed. There are examples of compromised terminals and infrastructure that clarify exactly the types of warning signs to look for when tampering is suspected, says Russo.
The new resource also provides templates for merchants and institutions to conduct a risk assessment on equipment and recommendations to maintain a regularly updated inventory of evaluated terminal equipment. Wireless terminal security measures are also covered in the resource.
This resource can't come at a better time, with the number of skimming incidences happening across the country rising. Skimming, as defined, is the unauthorized capture and transfer of payment data to another source for fraudulent purposes through payment cards or the payment infrastructure. Of 46 data breaches reported against financial institutions so far in 2009, according to the Identity Theft Resource Center, eight were linked to skimming.
Financial institutions should be looking at this resource as a must-have in their arsenal against skimming, says Elaine Dodd, Oklahoma Bankers Association's fraud division head. "The first part on skimming has unbelievably wonderful pictures of what to look for in any physical intrusion," she notes. OBA plans to use those pictures (and related info) in retailer training events and "will likely put a link to this data on our banker website, directing them to that info through our weekly Banker Update email." Dodd says she also really likes the risk evaluation section that let institutions and businesses know at what level they need to be prioritizing this threat.
Dodd believes this information can make a difference and will help with security implementation. "My hope is that we look at it now, rather than being reactive after taking large losses that could have possibly been prevented," she says.
She adds, "We have seen skimming resurface at a larger level in Oklahoma. We were seeing skimmers on ATMs, it then moved to gas pumps, where they moved up to internal chips. Most of our pumps are locked here to prevent that, and we are now seeing them back on ATMs (with cameras to record PINs) and in restaurants." Even when Heartland's data breach was first announced in January, Dodd relates, "We all thought it was related to skimming."