Skimming, or the theft of payment card data, typically by insiders, occurs when a rogue employee uses a hand-held card reader to swipe a card and retrieve its information, or when a criminal tampers with a merchant's payment infrastructure itself, Troy Leach, technical director at the PCI SSC told SCMagazineUS.com on Tuesday.
“Recent attacks in the headlines have led to the realization that a single fraud incident can put merchants out of business,” the document states.
The document provides best practices guidelines, photos of compromised card readers and hand-held skimmers, and a risk assessment questionnaire so organizations can determine how susceptible they are to being hit by skimming attacks. Risk factors are determined by things such as location, hours of operation and the presence of video monitoring.
The document does not put forth any new standards, but is intended to educate merchants that must comply with the PCI Data Security Standard.
Skimming is not mentioned in the standard, but one of the requirements mandates organizations to “restrict physical access to cardholder data,” which are measures that would help prevent this type of attack, Leach said.
But taking measures to prevent skimming are tasks that could easily “fall through the cracks” at organizations, he added.
“Protection of cardholder information goes to the IT security group, but what we have seen often is there isn't ownership of physical security of terminals because they operate sometimes independently on their own networks,” Leach said.
He said that if organizations have not already determined who is responsible for physically protecting customer's sensitive information, he hopes this document will facilitate the conversation.
Criminals can compromise a merchant's card reader by installing electronic equipment into the terminal to capture account data each time a card is passed through the device, Leach said. This equipment is so tiny that most merchants never realize their terminal has been compromised.
If the compromised card reader is connected to the internet, card numbers are remotely sent back to the criminal and if not, they are stored on a hard drive that the criminal returns to retrieve, he said.