Illegally capturing customer payment card numbers, or skimming, is a huge threat to merchants, according to an upcoming report on the criminal activity. Skimming can be carried out as simply as one corrupt employee in a restaurant or retail shop using a handheld skimmer to capture customer payment card data, or in complex schemes that involve changing wiring and cabling to point-of-sale payment terminal connections, or swapping out legitimate terminal equipment for ones that serve the criminal, not the merchant. According to the "Skimming Prevention: Best Practices for Merchants" guidelines expected to be issued by the Payment Card Industry Security Standards Council today, even tiny cameras hidden in ceilings and charity boxes left on retail counters are being used to steal detailed customer payment data, including PIN numbers. Miniature digital cameras have been found "hidden in false ceilings," above PIN pads, or on store counters "in boxes to hold leaflets" and in "charity boxes next to PIN pads," the council's report notes. Criminals use "miniature cameras to observe and record the PIN as it is entered."
Attackers are doing whatever takes to tamper with payment-terminal equipment to compromise it by adding skimmers, sometimes paying off employees to look the other way.
"The skimming equipment can be very sophisticated, small and difficult to identify," the council's report notes. "Often it is hidden within the terminal so neither the merchant nor the cardholder knows that the terminal has been compromised." Even MP3 players and voice recorders have been used as skimming equipment, the report says.
The "Skimming Prevention" paper includes vivid photos to illustrate how some of the skimming devices work in order to advise merchants what to watch out for.
Skimming "is one of the most common threats or fraud types the payment industry deals with," the council points out, adding that skimming, of which a few dozen instances are found each day, is leading to losses of a few thousand or even millions of dollars.
Troy Leach, technical director at the PCI Security standards Council, says there are instances in which payment terminals are physically stolen and then returned, and while they may seem to work the same to the merchant, the compromised terminals have been changed to share data with criminals.
In particular, older equipment is more prone to tampering than new terminals. The council says merchants, when purchasing new equipment, should make sure that it is approved to meet the requirements of the PCI PTS Security Evaluation program, which are listed here. Leach also notes there are huge dangers associated with buying equipment used online or from unknown sources where criminals may simply be luring merchants, through inexpensive prices for equipment, to unwittingly install skimmers.
The "Skimming Prevention" guide seeks to highlight some steps merchants might take to minimize risk, such as checking employee backgrounds before hiring, and keeping close track of the physical location and configuration of terminals by make, model and serial number to be able to spot unauthorised changes,
The council's paper, based on input from the group's PIN Entry Device Working group led by Visa, as well as investigative experience from law enforcement agencies, contains some tips for protection through physical security and ways to recognize some types of tampering, such as new stickers suddenly placed on equipment, which could be hiding a drilled hole.