On Wednesday, PCI SSC updated its card skimming prevention guidance for the first time in five years.
On Wednesday, PCI SSC updated its card skimming prevention guidance for the first time in five years.

The Payment Card Industry Security Standards Council (PCI SSC) has updated its card-skimming prevention guidance for merchants to help stop the theft of payment data in point-of-sale environments.

PCI SSC last published similar anti-skimming guidance in 2009, so the update, published Wednesday, comes at a highly relevant time for retailers.

The guidance addresses both “common targets and new attack vectors,” criminals have taken up over the years, a release from the council said, including data capture via malware or compromised software. In addition, overlay attacks leveraging technological advancements in 3D printers, as well as attacks against EMV chip cards, are discussed in the 36-page document (PDF) called "Skimming prevention: Best Practices for Merchants (version 2.0)."

The guidance is composed of two chapters – one, which explains card skimming, as well as typical culprits and its impact on entities, and another, that lays out best practices and guidelines for merchants to follow in order to identify and mitigate threats.

Additionally, the document's Appendix A and Appendix B were included to help retailers quantify risks associated with their payment terminal location and infrastructure, the document said, and to provide a checklist for monitoring terminal assets. 

The updated guidance was published just days after Home Depot confirmed on Monday that its payment data systems were breached, as security journalist Brian Krebs had initially warned. On Sunday, Krebs further revealed that a new variant of BlackPOS malware (which also struck Target's point-of-sale systems), was used to target card data on Home Depot's systems.

Krebs estimated that all of Home Depot's 2,200 stores in the U.S. could be impacted by its breach, and that the incident could be many times larger than the breach hitting Target last December.

On Thursday, Troy Leach, CTO for the PCI Security Standards Council, told SCMagazine.com in an interview that much of the skimming prevention guidance was “basic security, common sense activity that any merchant could follow,” and that is takes into consideration the range of methods used to target card data in today's threat landscape.

For instance, a section on malware in the guidance said that ATMs, PCs with access to card data, electronic cash registers, computer-based POS systems, and mobile devices, along with compromised terminals, were all viable points of attack for criminals.

The last time we published this guidance was in 2009, and we realized that new skimming attacks had become prevalent," Leach said.“Malware inside of [payment] terminals is obviously front page news now, and we address that,” he later added.