Point of Sale Skimming Attacks and PCI Standards

Computer security concept
••• StockUnlimited

All business owners and consumers need an understanding of how they can become a victim of point of sale (POS) skimming. This theft—using illegal card scanning devices—can be just as effective as crashing a heavy vehicle through the front window of a closed shop—a process known as ram-raiding.

Point-of-sale card processing devices are everywhere in our daily lives. We use them at the bank ATM, the convenience store checkout counter, the drive-thru carwash, and even vending machines. The multitude of these devices makes a ripe picking field for thieves.

The 3 Kinds of POS Skims

There are primarily three kinds of POS skimming schemes: the clerk skim, the POS swap, and POS malware.

Clerk Skim

The clerk skim is the most common. It is when a store clerk takes your card and runs it through a device that copies the information from the magnetic strip. Once the thief has the credit or debit card data, they can place orders over the phone or online, or create a cloned card.

POS Swaps

A more advanced skim happens when criminals pose as POS technicians, enter a retail establishment and swap out the existing POS terminals with clones that allow the criminal remote access to the device. Thieves can completely replace a merchant’s point of sale terminal with a device that is rigged to record or divert card data wirelessly, or simply store the data until the criminal comes back and removes it.

POS Malware

The most sophisticated POS skim happens when the actual POS software is compromised remotely and hacked, with malware being installed, giving criminals complete control over the devices.

PCI Security Standards Council

The Payment Card Industry (PCI) Security Standards Council provides guidelines designed to help merchants securely store and transmit card account data, and prevent it from falling into the hands of criminals. Retailers who fail to comply with PCI’s standards can be fined by credit card providers such as Visa and MasterCard.

PCI constantly updates a series of recommendations for the prevention of skimming scams. “Skimming is becoming a widespread problem. These are guidelines for what retailers should be looking at with their reader devices,” says Bob Russo, former general manager of the PCI SSC. “We discuss different techniques for protecting those point-of-sale devices.”

The PCI Council’s “Skimming Prevention: Best Practices for Merchants” guidelines include a risk assessment questionnaire and self-evaluation forms to gauge susceptibility to these types of attacks and to determine where they need to shore up their defenses. The guidelines cover how to educate and protect employees who handle the point of sale devices from being targeted, as well as ways to prevent and deter the compromise of those devices. They also detail how to identify a rigged reader and what to do about it, and how the physical location of the devices and stores can raise the risk.

How to Protect Yourself

Regularly scrutinize your ATM. This means every ATM, even ones from your bank. You also want to check any of the card sliders like ones at gas stations, etc, especially if you’re using your debit card. If the scanner does not match the color and style of the machine, it might be a skimmer. You should also “shake” the card scanner to see if it feels like there’s something attached to the card reader on the ATM.

Cover the keypad when entering your PIN. In order to access your bank accounts, thieves need to have your card number and your PIN. By covering the keypad, you prevent cameras and onlookers from seeing your PIN.

Check your bank and credit card statements often. If someone does get your information, you have 60 days to report any fraudulent charges to your credit card company in order not to be charged. For a debit card, you only have about two days to report any suspicious activity.

Be choosy about where you use your cards. Don’t use general ATMs at bars or restaurants. These are not usually monitored and therefore, can be easily tampered with by anyone.