Written by: Richard Rocchio
Despite the continued adoption of Europay, Mastercard, and VISA (EMV) smart cards with chip technology, a new report from FICO Blog states that US card skimming exploded at a rate of almost 5x in 2022. Card skimming is a method of obtaining personal data from ATM, debit, or credit cards when used at an ATM or merchant location. While swiping a credit card is the least secure form of transaction, it remains surprisingly common. Over 161,000 individual cards spanning 2,730 unique financial institutions were impacted by compromises last year.
Consumer Vigilance Can Lower Card Skimming Risk
In most cases, a payment terminal that has a skimmer attached will be placed over or on top of the original swiping lane and prevent the user from completing any type of transaction but a swipe. A few very quick and easy steps a patron can take to mitigate their risk of being skimmed are as follows:
- Take advantage of the tap-to-pay technology whenever it is offered. The transfer of card data during a tap-to-pay transaction is tokenized and encrypted. In addition to security, this transaction generally is the fastest to complete.
- If tap-to-pay is not available, patrons should also consider using chip and personal identification number (PIN) transactions. While more secure than swipes, individuals must be careful to cover their PIN or any other information that may be required to authorize the payment. Tiny cameras used to record keypad inputs are also considered skimming.
- Lastly, patrons must always remain vigilant when using payment terminals. Specifically, in areas that are publicly accessible, common indicators of tampering include discolored attachments, glue or paint remnants on the terminal, and hardware that appears loose or not fully attached.
PCI-DSS Compliance for Merchants and Service Providers
While patrons should take the above measures to mitigate their risk of being skimmed, merchants and service providers who utilize these point-of-sale (POS) terminals must also ensure they comply with Payment Card Industry Data Security Standards (PCI DSS) requirement 9, Restrict Physical Access to Cardholder Data. The most relevant requirement within this criterion is 9.5.1, which states:
“Point of interaction (POI) devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
- Maintaining a list of POI devices.
- Periodically inspecting POI devices to look for tampering or unauthorized substitution.
- Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.”
While this requirement is a start, FICO Blog states 64% of skimming campaigns are run for a week or less and 87% are run for two weeks or less. Despite the short campaigns, the average number of cards that are compromised per event is 185 cards. In areas with the highest traffic, that number can be multiplied several times.
The requirements stated in 9.5.1 mitigate controls, but its implementation relies on robust training and procedure of the front office personnel to perform timely inspections of payment terminals. While the new PCI DSS v4.0 requires a targeted risk analysis to determine the frequency of review, the information from the FICO Blog suggests those reviews should at a minimum occur weekly, if not more frequently.
While the blog gives a good case for the recommended frequency, best practice inspections should also include the following attributes:
- A documented checklist that is required to be completed by the front office personnel
- Name of inspector
- Start and end times of the inspection
- Comparisons to the serial numbers or label numbers of the devices being inspected and the documented inventory of payment terminals
- Physical inspections for tampering including a check of connected inputs
The Importance of Comprehensive Training
A robust training program that is completed upon hire and at least annually should give the front office personnel the knowledge on how to complete the checklists and inspections, as well as the common red and yellow flags to look for. If you have any questions about PCI DSS compliance requirements, reach out to Wolf today.