Skip to main content

PCI Security Standards Council Publishes Guidance on Skimming Prevention

The PCI Security Standards Council, an open global forum for the development of  payment card security standards, released an update to its guidance for merchants on protecting against card skimming attacks in point-of sale (POS) environments at its annual North American Community Meeting.
Skimming Prevention: Best Practices for Merchants educates organizations on how to prevent the unauthorized capture and transfer of payment data to another source for fraudulent purposes, known as skimming. The guidance supports PCI Standards, controls and approved devices for maintaining POS security and a secure terminal environment.
Card skimming continues to be a highly profitable enterprise for criminals, with the United States Secret Service estimating it costs consumers and businesses at least $8 billion annually.
While commonly associated with external electronic devices placed on ATMs, skimming can compromise many different payment forms including, POS terminals, wireless networking technologies such as Bluetooth and Wi-Fi and even EMV chip cards.
With advancements in payment technology and new skimming techniques, merchants especially continue to be at risk. In response to this need, the Council formed an industry taskforce to update its guidance on skimming to address a wide range of common targets and  new attack vectors, including: data capture from malware and memory srapers or compromised software; overlay attacks that take advantage of the advances in 3D printers; mobile device weaknesses and attacks against EMV chip cards.
Security best practices outlined in the guidance can help businesses:
-- Identify risks relating to skimming both physical and logical based

-- Evaluate and understand vulnerabilities inherent in the use of POS terminals and terminal infrastructures, and those associated with staff that have access to consumer payment devices

-- Prevent or deter criminal attacks against POS terminals and terminal infrastructures

-- Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack
Organizations can also reference appendices in the document to assess
vulnerability risks, and in their efforts to meet PCI DSS Requirement 9.9 for ensuring proper inspection of POS devices and limiting the attack vector by implementing simple daily routines and training employees.
“Skimming is highly profitable and appeals to a wide range of criminals because it allows them to capture massive amounts of data in a short amount of time, with low risk of detection,” said Troy Leach, chief technology officer, PCI SSC. “Retailers and other organizations can use this guidance document to educate themselves on how to identify and prevent against this type of  attack.”
For quick and easy reference, a high-level overview of the guidance is available as a separate document on the PCI Council’s website here.

This ad will auto-close in 10 seconds