What is Skimming and How Do I Safeguard My Credit Card Terminal?

Skimming is the unauthorized capture and transfer of payment data to another source for fraudulent purposes. This can take place:

• Directly from the consumer’s payment device (card) through a small, portable card reader. This occurs during a payment transaction conducted by the consumer at a merchant location and usually involves internal merchant personnel who have both criminal intent and direct access to the consumer payment device with little or no observation at the time of the payment. The majority of skimming attacks deal with the capture of payment data from magnetic-stripe payment cards.
• At the merchant location via the POS terminal and their respective infrastructures (terminal locations, wires, communication channels, switches, etc.). Criminals will insert electronic equipment by various means into the terminal or the terminal infrastructure in order to capture consumer account data. The skimming equipment can be very sophisticated, small and difficult to identify. Often it is hidden within the terminal so neither the merchant nor the cardholder knows that the terminal has been compromised.

Understanding Terminal Fraud Types

• Terminals will have a sticker attached to the underside, which provides details of the terminal and will include a serial number (SN). The majority of terminals will also have a method of displaying the SN electronically. As part of your routine inspection of the credit card terminal, check the SN on the back of the terminal and compare this against the electronic SN. Additionally, run your finger along the label to check that it is not hiding a skimming device.
• Security stickers or company stickers placed over screw holes or seams will act as indicators if the terminal case has been opened. Criminals often remove these labels when compromising terminals and may replace them with their own printed versions. When you first receive the terminal make careful note of label position, color, and materials used. Also look for signs that the label may have been removed or tampered with.
• As a business owner, you and your staff should be aware of additional and/or unfamiliar electronic equipment connected to the terminal, cash register, or network connections.
  • Key loggers are used to record all keystrokes made by electronic cash registers, computers, etc.
  • Changes to terminal connections (i.e., cables, telephone connections, etc.) can provide fraudsters the means to electronically record and store your customer’s data for fraudulent use.
  • The modern digital or miniature cameras can be easily hidden at the merchant location. Criminals will use these cameras to record the cardholder entering his/her PIN by hiding in a ceiling tile above the terminal.
  • Voice recorders or MP3 players are used by criminals to connect into telephone exchanges to record transmissions to the merchant’s financial institution.
• Wi-Fi connections need to be secured and ports should not be shared with other networks. Wi-Fi signals can extend far beyond the four walls of your location.
• Criminals will pose as “service engineers” or a representative from your financial institution. They will then install fraudulent devices or switch out your equipment. Never allow an unannounced technician or “bank” representative to have access to your sales equipment. Jefferson Bank will never visit your place of business for merchant needs without a scheduled appointment. You and your staff should make it common practice to verify all service representatives that visit your location.

Impact of Skimming Attacks

The impact of a skimming attack is significant for all involved. It undermines the integrity of the credit card payment system, employee trust, industry relationships, and your business reputation. There is a cost to skimming attacks beyond the loss of monies, goods and services. Merchants have become more aware of the impact that skimming may have, as it is one of the top three fraud types a merchant must address. Consumers are becoming more aware of the risks involved and are taking their business elsewhere when they know which merchants they cannot trust with their card security. The best step a merchant can take is to remain diligent in appropriate security measures to ensure the integrity of their payment terminals and payment infrastructures.

Guidelines and Best Practices¹

• Physical Protections – Merchants must remain proactive in maintaining a secure environment in their place of business to ensure their terminal or infrastructure is not at risk of being compromised. This includes the security of wiring and communication lines, protection of all locations in which access of the terminal may be provided, appropriate lighting in secure areas, surveillance cameras, and immediate examination of all terminals if anything has been moved or if there is any evident tampering. When setting up your terminal, select a location that will be secure and difficult for criminals to gain access to.
• Hiring and Staff Awareness – Staff members can potentially become prime targets for criminals attempting to coerce or bribe them into providing proprietary information. Hold staff meetings to train staff on the proper way to handle these situations if fraud attacks are attempted. Allowing employees secure access to proprietary information should be limited to prevent potential criminal intent. Background checks may assist in hiring decisions, responsibility levels or protection of sensitive data. While internal fraud is a difficult subject to address, it can be the most damaging. Handheld skimmers that fit in the palm of your hand store a significant amount of account details and can be used by corrupt staff with intent to use for criminal purposes.
• Risk Analysis – PCI SSC recommends merchants seek out and use qualified security professionals to help them assess risk at their place of business and terminal environments. A risk analysis process for skimming attacks and the POS should include identification of assets, threats and probability of any threats taking place. Merchants can also complete a Risk Assessment Questionnaire at www.pcisecuritystandards.org.

Added protection for your customers:

Offering NFC as an option for your customers to pay adds an extra layer of protection. NFC stands for near-field communication, and it allows most smartphones to communicate over a short distance. It allows their phones to take the place of a debit or credit card and is one of the safest ways for customers to pay at a terminal. Ask FiTech by Deluxe^® if this is an option for your equipment.

¹Skimming prevention and additional best practice guidelines can be found on The Payment Card Industry Security Standards Council’s (PCI SSC) website. The PCI SSC has a primary mission of ensuring the security of payment data and the security of the payment infrastructure that processes that data. Threats and vulnerabilities constantly evolve and merchants should expect increased security standards and requirements that include terminal types, terminal infrastructure, payment devices and payment process. Merchants must work to enhance the security provided by current PCI SSC standards and payment terminal vendors. Merchants have the responsibility of ensuring their payment systems and infrastructure are secure, as they are the first line of defense for POS fraud and are involved in the execution of PCI SSC requirements. All factors must be taken into consideration by the merchant, which may potentially influence security in their terminal environment.