Strategies to Strike Back at Skimming

PCI Council Offers New Resource to Fight Fraud Skimming - point-of-sale attacks at ATMs and sales terminals -- hurts everyone, including banks, retailers and their customers. And the PCI Security Standards Council is fighting the crime with a new set of best practices for skimming prevention.

This resource will help educate merchants and financial institutions regarding security best practices that defend against credit card skimming attacks, says Bob Russo, PCI Security Standards Council General Manager.

"The guidelines include recommendations for protecting merchant terminals based on established countermeasures identified by the merchant community - physical location and security; terminal and terminal infrastructure security; and staff and service access to payment devices," Russo says. "[This is] something that all acquirers will be pointing their small merchants to use."

The resource was developed by the PCI Security Standards Council's Pin Entry Device (PED) Working Group, with input from law enforcement and industry experts closest to credit card skimming threats. The suggested guidelines help to:

Evaluate the risks relating to skimming;
Understand the vulnerabilities inherent in the use of point-of-sale terminals and terminal infrastructure;
Assess challenges associated with staff that has access to consumer payment devices;
Prevent or deter criminal attacks against point-of-sale terminals and terminal infrastructure;
Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack.

In addition to guidance on areas of vulnerability to address, the resource has photos of confiscated skimming equipment to help identify when a skimmer has been installed. There are examples of compromised terminals and infrastructure that clarify exactly the types of warning signs to look for when tampering is suspected, says Russo.

The new resource also provides templates for merchants and institutions to conduct a risk assessment on equipment and recommendations to maintain a regularly updated inventory of evaluated terminal equipment. Wireless terminal security measures are also covered in the resource.

This resource can't come at a better time, with the number of skimming incidences happening across the country rising. Skimming, as defined, is the unauthorized capture and transfer of payment data to another source for fraudulent purposes through payment cards or the payment infrastructure. Of 46 data breaches reported against financial institutions so far in 2009, according to the Identity Theft Resource Center, eight were linked to skimming.

Financial institutions should be looking at this resource as a must-have in their arsenal against skimming, says Elaine Dodd, Oklahoma Bankers Association's fraud division head. "The first part on skimming has unbelievably wonderful pictures of what to look for in any physical intrusion," she notes. OBA plans to use those pictures (and related info) in retailer training events and "will likely put a link to this data on our banker website, directing them to that info through our weekly Banker Update email." Dodd says she also really likes the risk evaluation section that let institutions and businesses know at what level they need to be prioritizing this threat.

Dodd believes this information can make a difference and will help with security implementation. "My hope is that we look at it now, rather than being reactive after taking large losses that could have possibly been prevented," she says.

She adds, "We have seen skimming resurface at a larger level in Oklahoma. We were seeing skimmers on ATMs, it then moved to gas pumps, where they moved up to internal chips. Most of our pumps are locked here to prevent that, and we are now seeing them back on ATMs (with cameras to record PINs) and in restaurants." Even when Heartland's data breach was first announced in January, Dodd relates, "We all thought it was related to skimming."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.