Digital Transactions Authoritative, insightful and timely information for payments professionals
While much of the credit and debit card industry's attention is focused on new indictments that detail how hackers penetrated the computer systems of big processors and merchants to steal tens of millions of card numbers (Digital Transactions News, Aug. 18), the PCI Security Standards Council is trying to shine some light on another nagging problem: skimming. The Council on Tuesday released a downloadable white paper about how skimming happens and what merchants and processors can do to prevent it. “This is something that gets them to think about what they should do,” PCI Council general manager Robert Russo tells Digital Transactions News. Russo says that “you'd be shocked” at how many merchants, especially small ones, don't know where the serial numbers or other important features of their point-of-sale equipment are, a situation that makes it easier for skimming fraudsters to escape detection. Skimming typically involves the illicit placement of a device on a POS terminal, fuel pump, or ATM to capture the card number as a card is swiped. The device also may automatically record the PIN as the cardholder types it. Fraudsters harvest such data either by removing the skimming device or by transmitting data from the compromised machine wirelessly to a location where they can download the information. After that, they can make counterfeit cards for illegal purchases and ATM withdrawals. So-called shoulder surfing is another form of skimming in which fraudsters obtain PINs through small hidden cameras placed near a terminal or ATM to record the cardholder's keystrokes. Reports about skimming have abounded in the general press in recent months, though experts say it's hard to discern whether the crime truly has increased. The government doesn't compile specific data about skimming. Russo does not have an estimate for skimming-related losses, nor do several security experts contacted by Digital Transactions magazine for a story about skimming in its upcoming September issue. Nonetheless, sources told the magazine that skimming losses probably are running at about $1 billion a year. “Suffice to say, it's a problem,” says Russo. The Wakefield, Mass.-based PCI Council's PIN-Entry Device Working Group compiled the white paper, “Skimming Prevention: Best Practices for Merchants”, with input from law-enforcement and industry experts. The 28-page document has guidelines to help merchants and processors evaluate skimming risks, understand the vulnerabilities of terminals and related equipment, assess risks involving staff members with access to the devices, deter skimming attacks, and identify compromised terminals as soon as possible after an attack. For instance, it tells merchants to watch for manufacturers' labels that may have been removed or changed, and wires and other components that look like they've been tampered with. “This is just common sense,” says Russo. “We bring those things to their attention.” While the report focuses mostly on small merchants, it also has technical information of interest to bigger ones, he adds. The paper doesn't hand down any new rules that merchants must obey to prevent skimming, but it's possible some of its recommendations could make their way into the next revision of the PCI standard due out next year, according to Russo. But he says that, “At this point, we're very early in the feedback” about the current version. The paper can be downloaded from: www.pcisecuritystandards.org/education/info_sup.shtml
