ATMs Draw Skimmer Spotlight

MasterCard's October 2016 liability-shift date for EMV at ATMs looms

Angel Abcede, Senior Editor/Tobacco, CSP


ALEXANDRIA, Va. -- As the EMV liability-shift date for ATMs drawing closer, the focus on data security at convenience stores heightens, spurred by recent statistics showing a spike in skimming activity at cash-dispensing machines, according to c-store association executives.

With overall Europay MasterCard Visa (EMV) security measures being bogged down due to slow-moving certifications, retailers face Purchase, N.Y.-based MasterCard's Oct. 1, 2016, deadline for EMV migration at ATMs with a high degree of dread.

The apprehension is only fanned with recent statistics showing an almost sixfold increase in ATM compromises from 2014 to 2015, according to San Jose, Calif.-based FICO. Criminal activity was highest at nonbank ATMs, such as those in convenience stores, where 10 times as many machines were compromised as in 2014, the card-alert service reported in its blog this past spring.

Unfortunately, the move to EMV won’t solve the issue of skimming, a crime in which thieves use different technologies to steal card data as customers use ATMs and other point-of-sale terminals, according to Gray Taylor, executive director for Alexandria, Va.-based c-store technology and standards firm Conexxus.

“We do think [EMV] is an important upgrade, but more importantly, retailers need to better protect their ATMs,” Taylor told CSP Daily News. “That means inspecting the machines, putting them in plain view of the cashier and installing security cameras.”

FICO also reported that ATM compromises were taking place over fewer days. The average duration of an ATM compromise fell from 36 days in 2014 to 14 days in 2015. The average number of cards affected by a compromise was cut in half.

“Criminals are taking a quick-hit approach to ATM theft and card fraud,” said T.J. Horan, vice president of fraud solutions at FICO, in a statement. “They are moving faster to make it harder for banks to react and shut down the compromises. They are targeting nonbank ATMs, which are more vulnerable—in 2015, nonbank ATMs accounted for 60% of all compromises, up from 39% percent in 2014.”

ATM compromises in 2015 also spread out across the country, whereas in 2014 the compromises were concentrated in large cities on the East Coast and West Coast. Horan said that ATM operators need to increase the frequency of their inspections, looking carefully for any signs of tampering.

Foster City, Calif.-based Visa has its ATM liability shift date set for Oct. 1, 2017, and both MasterCard and Visa have their liability shift dates for outdoor in-pump POS set for that same October 2017 deadline. The deadline for in-store POS passed in October 2015.


Angel Abcede, CSP/Winsight By Angel Abcede, Senior Editor/Tobacco, CSP
View More Articles By Angel Abcede