Tuesday, September 1, 2009
The working group defines skimming as the "unauthorized capture and transfer of payment data to another source for fraudulent purchases." This can be accomplished by stealing the data directly off of payment cards or by infiltrating payment networks via POS terminals, terminal locations, wires, communication channels, switches and so forth.
The first type of attack, which the authors said is the most common, usually occurs at the POS and is usually perpetrated by "internal merchant personnel who have both criminal intent and direct access to the consumer payment device (payment card) with little or no observation at the time of payment."
Among the most common of inside jobs are restaurant wait staff who disappear with diners' credit cards and skim the card numbers in private, said Bob Russo, General Manager of the PCI SSC.
The second type involves criminals inserting electronic devices into POS terminals or terminal infrastructures. "The skimming equipment can be very sophisticated, small and difficult to identify," the supplement said. "Often it is hidden within the terminal so neither the merchant nor the cardholder knows that the terminal has been compromised."
Both modes of attack have proven to be highly profitable. According to ADT Security Services Inc., skimming nets fraudsters approximately $350,000 daily in the United States. And payment consultancy Celent LLC estimates skimming drains the global economy of $1.2 billion annually.
Russo said smaller merchants are particularly vulnerable to skimming attacks. Mom-and-pop merchants are busy running their businesses and might overlook signs that their POS terminals have been compromised, he said. This is why the paper, while useful for larger merchants, is designed especially for the smaller, level 4 merchants.
To make it as easy as possible for merchants, the supplement provides photographs of how terminals are tampered with and how merchants can detect evidence of such tampering. For example, fraudsters have to break security stickers and labels on the undersides of terminals to get inside devices. They will then often replace the stickers and labels with their own to hide that devices have been compromised.
Therefore, the supplement recommends that merchants routinely and thoroughly inspect terminals for signs of outward alteration. It is also helpful if merchants know what the actual devices look like. For example, a key logger used to capture the keystrokes of an electronic cash register can be smaller in circumference than a quarter and can be easily mistaken as part of the register's normal cabling.
Similarly, digital cameras can be employed to photograph cardholders entering PIN numbers into terminals. When removed from their housings, the main camera hardware can be tiny and easily hidden in a ceiling tile above the terminal. The paper illustrates how one fraudster posed as a service engineer and informed a merchant that the merchant's terminal must be placed in a "secure box" to prevent fraud.
The box contained a skimmer to lift card numbers off of mag stripes and a miniature camera to capture PINs. For technologically unsophisticated merchants, such a devious trick can be prevented by following the working group's advice: "Be cautious of unannounced service visits."
Russo characterized the working groups recommendations as taking a common sense approach to preventing skimming attacks. The supplement lays out guidelines and best practices merchants are advised to follow. The guidelines fall into three main categories:
Among the working group's recommendations for securing retail environments are to:
As for terminal infrastructure security, the paper suggests merchants understand and relay to their employees the "entire cable path from the terminal to the point where it leaves your merchant location" because fraudsters can infiltrate and hide devices anywhere within that path.
It is also incumbent on merchants to scrutinize their employees and vendors, which the PCI SSC realizes is a sensitive issue. But that staff and outside contractors are "targets" of fraudsters, either through "bribery or coercion," is an unfortunate fact, the supplement said.
Thorough background checks – if legal – should be employed on potential new hires. And procedures should be implemented to assure that service engineers who arrive on business premises to conduct terminal checks or provide other related services are who they say they are and have arrived at a previously specified time and date.
Russo stressed the value of the supplement's two appendices to mom-and-pop merchants. The first one helps merchants quantify what their risk levels are. More than two dozen questions posed to merchants are designed to evaluate whether merchants can be classified as low, medium or high risk to skimming attacks.
The second appendix is basically a checklist that allows merchants to document the details of their POS terminals and systems. "Take a picture of your device," Russo said. "What's the serial number? Where's it located? Where is the label? Is the label on the right side or the left side?
"So that when periodically somebody goes around and looks at these things to check them, they check them against this list to see if there's anything that looks different from what they had before."
Russo urges ISOs and merchant level salespeople to educate their merchants on how to protect against skimming attacks; it is also good for business. "This [supplement] is certainly something that ISOs should be giving to their customers," he said. "This is a differentiator between a good ISO and somebody out there that is just trying to move equipment that they've got sitting up on the shelf."
The 25-page supplement is free for download at www.pcisecuritystandards.org/education/info_sup.shtml .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
