Skimming is the unauthorized capture and transfer of payment data to another source for fraudulent purposes through payment cards or the payment infrastructure. [image-nocss] The guidelines presented in the "Skimming Prevention: Best Practices for Merchants" informational supplement include actionable recommendations for protecting merchant terminals based on established countermeasures identified by the merchant communityphysical location and security; terminal and terminal infrastructure security; and staff and service access to payment devices.
Spearheaded by the Council's Pin Entry Device (PED) Working Group, with input from law enforcement and industry experts closest to credit card skimming threats, the suggested guidelines help merchants to:
Evaluate the risks relating to skimming. Understand the vulnerabilities inherent in the use of point-of-sale terminals and terminal infrastructure. Assess challenges associated with staff that has access to consumer payment devices. Prevent or deter criminal attacks against point-of-sale terminals and terminal infrastructure. Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack. "In today's heightened threat environment, skimming remains a popular method of data compromise. Merchants can protect their business and their customers by educating themselves on risk, and taking active steps to protect their terminal infrastructure from fraud," said Troy Leach, technical director of the PCI Security Standards Council. "By following the guidelines outlined in this document, merchants can improve security levels in their terminal environment and defend against this type of attack."
In addition to guidance on areas of vulnerability to address, the document provides a series of visual examples of compromised terminals and infrastructure that clarify for merchants exactly the types of warning signs they should be looking for. The new resource also provides practical templates for implementing recommendations such as conducting a risk assessment for your terminal environment and maintaining a regularly updated inventory of evaluated terminal equipment. The Council is publishing this guide as a direct result of feedback from merchant representatives on the PCI SSC board of advisors.
"This 'Skimming Prevention' informational supplement is another excellent example of the Council's ongoing mission to educate merchants on steps they can take to increase the security of cardholder data and decrease risk to their payment data environment.," said Bob Russo, general manager of PCI SSC. "Used in conjunction with the Council laboratory tested and approved PIN Entry Device listings, these guidelines will arm merchants with yet more ammunition against data compromise."
Click hereto download the PCI SSC "Skimming Prevention" paper.
The mission of the PCI Security Standards Council is to enhance payment account security by fostering broad adoption of the PCI Data Security Standard and other standards that increase payment data security. The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Applications Data Security Standard (PA-DSS). Merchants, banks, processors and point-of-sale (POS) vendors are encouraged to join as participating organizations.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.