Credit Card Skimming: A Quick Overview

Published June 14, 2017

While our other article this month focuses on different breaches that recently occurred throughout the country, this article discusses skimming – the technique used by fraudsters to cause breaches. In more definite terms, skimming is the unauthorized capture and transfer of cardholder information to a third party for the purposes of fraud.

There are many different ways to skim a payment card. Theft of cardholder information can occur internally, either through an employees’ lack of security awareness or even malicious intent, or externally through malicious software programs or hardware, such as an unauthorized attachment to an ATM machine. ATMs are frequent targets, but so are credit card terminals.

There are a number of ways that criminals can target terminals, such as:

  • Stealing terminals from unattended or unwatched checkout lanes
  • Breaking into a store and removing/compromising the terminals or replacing them with identical, but compromised versions
  • Adding additional hardware, CCTV cameras, or inconspicuous overlays to capture the data
  • Posing as a service technician or authorized repair representative to gain access to the terminals
  • Installing malware at the point-of-sale location or over the internet
  • Shipping compromised terminals under the façade of device upgrades

Unfortunately, there are many ways that a merchant’s credit card machine can be compromised, but there are some ways to prevent this.*

*While this list is not all-inclusive, a much more thorough overview of skimming and skimming prevention can be found in the PCI Security Standards Council’s Information Supplement Skimming Prevention: Best Practices for Merchants which can be found on the official PCI website here (PDF).

 

Educate your employees
As always, the first step is to educate your employees on terminal security, and also provide them with appropriate avenues in which to report suspicious activity. Fraudsters have been known to offer substantial bribes or threaten employees in order to gain access to terminals.

Secure the terminal
Ensure the physical security of the machine. This includes keeping the machine in a monitored location. Do not allow unauthorized individuals to tamper with the device. Furthermore, make sure your business has sufficient security when it is closed, including an alarm or CCTV system. If there has been suspicious activity, inspect the terminals thoroughly, including the serial numbers located on the terminal. If there are any discrepancies, your terminal may be compromised.

Become compliant with PCI
PCI compliance is not just an annual checklist; it’s an ongoing set of guidelines that are meant to be followed to reduce the threat of credit card breaches. Familiarize yourself with the PCI DSS (if you are having trouble viewing this file, contact us and we can provide you with a copy).

Upgrade to EMV
Do not wait until there is a security incident to upgrade to EMV. While upgrading to the chip and PIN technology is not the one and only step in improving security, combining EMV with a solid security practice will reduce your likelihood of becoming a target.

If you do suspect that you have been compromised, immediately stop using the credit card machine and contact local law enforcement, who can then guide you on the appropriate agencies to contact and what steps to take. Also be sure to call your merchant services company and inform them of your suspicions. They can send out a new terminal and provide the necessary contact numbers to minimize the damage to your business. If you are processing through Advanced Merchant Group and suspect you have been the victim of a data breach, call us at 877-997-9473 as soon as possible.