Risk Management | Data Security
9 June 2016
How to Identify and Mitigate Skimming Attacks at the Point of Sale
Canada, LAC, U.S. | Acquirers, Merchants
Overview: Visa is alerting clients to recent incidents in which skimming devices were placed on point-of–sale
(POS) terminals to collect payment card information, including PINs.
Payment system stakeholders should be aware of a rise in incidents in
which skimming devices are placed on POS terminals to collect payment
card information, including PINs. Perpetrators use this information to
create counterfeit cards that are then re-encoded with the stolen card
information and used to make unauthorized ATM withdrawals.
The primary targets of these recent skimming events are self-checkout
terminals in supermarkets. However, any POS terminal may be at risk,
including those that are often unattended, such as terminals near deli
counters, coffee stands, automated fuel dispensers (AFDs), etc. The
perpetrators will target multiple stores in a given area before moving on
to a new location. Most of the targeted merchants use payment devices
that have not yet been upgraded to accept EMV cards.
How and When Perpetrators Place Skimming Devices
Perpetrators usually install skimming devices, which can be made to look like the front of a POS terminal, during
slower hours of business so the crime can go undetected by employees or other customers. The perpetrators
usually work as a team, with one person acting as a lookout, a second person placing the skimming device and
possibly a third person blocking the skimming device from the view of others or cameras.
Perpetrators have been known to use large items, such as packs of paper towels, to block the view of POS
terminals. In some instances, suspects have created a distraction in the store by faking a medical incident or
causing a commotion that diverted the attention of personnel from the POS terminals.
Perpetrators also employ terminal-swapping to place a skimming device without being detected. This usually
happens at the end of the business day, when employees are distracted or not attending the terminal, and
perpetrators replace the merchant terminal with an imitation. Overnight, the perpetrators modify the merchant’s
terminal with Bluetooth, a PIN underlay and magnetic-stripe reader. When the merchant opens the next morning,
the perpetrators return and replace the imitation terminal with the original merchant terminal. Under inspection, it
appears nothing has happened because the serial number matches.
For more information, refer to Skimming—A Resource Guide From the PCI Security Standards Council.
AI05562
Recommended Inspection and Response Actions
Merchants should employ the following procedures to mitigate the risk of skimming devices.
Device Inventory Management
•
In accordance with the Payment Card Industry Data Security Standard (PCI DSS), implement security controls
to protect POS devices from tampering and substitution, such as:
o
Maintaining a list of devices, including the device serial number or other methods of unique identification.
o
Keeping a list of device locations, either by store or specific location in the store (i.e., self-checkout,
deli counter, manned checkout).
o
Training personnel to be aware of suspicious behavior and to report any tampering with or
substitution of devices.
o
Verifying the identity of anyone claiming to be repair or maintenance personnel before granting them
access to devices.
Skimming Device Detection
•
Inspect POS terminals at least twice a day, at random times.
•
A skimming device is typically attached to the front of a POS terminal with a minimal amount of adhesive to
make it easy for perpetrators to place and remove. In cases where the skimming device has not been
removed, it may be detected by pulling on the front of the POS / PIN-entry device terminal.
•
If tampering with a POS terminal is suspected but not obvious, weighing the terminal may help identify the
presence of a skimming device.
•
When inspecting devices, monitor from a distance, as suspects may watch compromised terminals and may
be trained in counter-surveillance to avoid detection and/or arrest.
•
Install file integrity monitoring to be notified if or when a terminal has been modified or has had malware
installed. This will also alert you if it has been swapped and modified.
•
Install a hardware cable onto the POS terminal to prevent it from being swapped.
Note: Some skimming devices are Bluetooth-enabled, and perpetrators can capture data without the device
needing to be recovered.
Device Recovery
•
If a skimming device is discovered on a POS terminal, do not handle it, as it could be damaged and thus
compromised as evidence.
•
Notify local law enforcement and/or the FBI or U.S. Secret Service offices so they can recover the skimming device.
•
Protect any video surveillance that may be used as evidence to identify any perpetrators and determine when
they may have placed the device on the POS terminal.
•
Initiate incident response procedures detailed in the What To Do If Compromised and notify your acquirer so
Visa can assist with the investigation.
AI05562
Documents & Publications
PCI DSS—Requirements and Security Assessment Procedures, Version 3.2
Skimming—A Resource Guide From the PCI Security Standards Council
Visa Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants
Online Resources
Visit the PCI DSS Document Library for more information.
For more information, email:
•
Canada: [email protected]
•
LAC: [email protected]
•
U.S.: [email protected]
Notice: This Visa communication is furnished to you solely in your capacity as a customer of Visa Inc. (or its authorized agent) or a participant in the Visa payments
system. By accepting this Visa communication, you acknowledge that the information contained herein (the "Information") is confidential and subject to the
confidentiality restrictions contained in the Visa Rules, which limit your use of the Information. You agree to keep the Information confidential and not to use the
Information for any purpose other than in your capacity as a customer of Visa Inc. or a participant in the Visa payments system. You may disseminate this
Information to a merchant participating in the Visa payments system if: (i) you serve the role of “acquirer” within the Visa payments system; (ii) you have a direct
relationship with such merchant which includes an obligation to keep Information confidential; and (iii) the Information is designated as “affects merchants”
demonstrated by display of the storefront icon ( ) on the communication. A merchant receiving such Information must maintain the confidentiality of such
Information and disseminate and use it on a “need to know” basis and only in their capacity as a participant in the Visa payments system. Except as otherwise
provided, the Information may only be disseminated within your organization on a need-to-know basis to enable your participation in the Visa payments system.
Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of
Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change
from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication.
AI05562