Best practices for skimming prevention
The PCI Security Standards Council released an update to its guidance for merchants on protecting against card skimming attacks in POS environments.
Card skimming continues to be a highly profitable enterprise for criminals, with the United States Secret Service estimating it costs consumers and businesses at least $8 billion annually.
While commonly associated with external electronic devices placed on ATMs, skimming can compromise many different payment forms including, POS terminals, wireless networking technologies such as Bluetooth and Wi-Fi and even EMV chip cards. With advancements in payment technology and new skimming techniques, merchants especially continue to be at risk.
In response to this need, the Council formed an industry taskforce to update its guidance on skimming to address a wide range of common targets and new attack vectors, including: data capture from malware and memory scrapers or compromised software; overlay attacks that take advantage of the advances in 3D printers; mobile device weaknesses and attacks against EMV chip cards.
Security best practices:
Identify risks relating to skimming – both physical and logical based.
Evaluate and understand vulnerabilities inherent in the use of POS terminals and terminal infrastructures, and those associated with staff that have access to consumer payment devices.
Prevent or deter criminal attacks against POS terminals and terminal infrastructures.
Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack.
Organizations can also reference appendices in the document to assess vulnerability risks, and in their efforts to meet PCI DSS Requirement 9.9 for ensuring proper inspection of POS devices and limiting the attack vector by implementing simple daily routines and training employees.
“Skimming is highly profitable and appeals to a wide range of criminals because it allows them to capture massive amounts of data in a short amount of time, with low risk of detection,” said Troy Leach, CTO, PCI SSC. “Retailers and other organizations can use this guidance document to educate themselves on how to identify and prevent against this type of attack.”