The Green Sheet Online Edition
September 14, 2009 • Issue 09:09:01
PCI SSC combats skimming with new merchant resource
The PCI Security Standards Council (PCI SSC) issued a new supplement designed to educate merchants on how to defend against skimming attacks. Entitled Skimming Prevention - Best Practices for Merchants and authored by the PCI SSC PIN Transaction Security Working Group, the supplement focuses on defining what skimming entails and how merchants can protect against it.
The working group defines skimming as the "unauthorized capture and transfer of payment data to another source for fraudulent purchases." This can be accomplished by stealing the data directly off of payment cards or by infiltrating payment networks via POS terminals, terminal locations, wires, communication channels, switches and so forth.
The first type of attack, which the authors said is the most common, usually occurs at the POS and is typically perpetrated by "internal merchant personnel who have both criminal intent and direct access to the consumer payment device (payment card) with little or no observation at the time of payment."
Among the most common of inside jobs are restaurant wait staff who disappear with diners' credit cards and skim the card numbers in private, said Bob Russo, General Manager of the PCI SSC.
The second type involves criminals inserting electronic devices into POS terminals or terminal infrastructures. "The skimming equipment can be very sophisticated, small and difficult to identify," the supplement said. "Often it is hidden within the terminal so neither the merchant nor the cardholder knows that the terminal has been compromised." According to ADT Security Services Inc., skimming nets fraudsters approximately $350,000 daily in the United States. And payment consultancy Celent LLC estimates skimming drains the global economy of $1.2 billion annually.
Russo said smaller merchants are particularly vulnerable to skimming attacks. Mom-and-pop merchants are busy running their businesses and might overlook signs that their POS terminals have been compromised, he said. This is why the paper, while useful for larger merchants, is designed especially for the smaller, level 4 merchants.
The supplement provides photographs of how terminals are tampered with and how merchants can detect evidence of such tampering; it recommends that merchants routinely and thoroughly inspect terminals for signs of outward alteration. It is also helpful if merchants know what the actual devices look like. For example, a key logger used to capture the keystrokes of an electronic cash register can be smaller in circumference than a quarter and can be easily mistaken as part of the register's normal cabling.
Similarly, digital cameras can be employed to photograph cardholders entering PIN numbers into terminals. When removed from their housings, the main camera hardware can be tiny and easily hidden in a ceiling tile above the terminal.
Russo said the supplement takes a common sense approach to preventing skimming attacks. It lays out guidelines and best practices, which fall into three main categories: merchant physical location and security, terminals and terminal infrastructure security, and staff and service access to payment devices.
Among the working group's recommendations for securing retail environments are to limit and control customer access to payment locations from floor to ceiling, keep payment areas well lit, and employ surveillance cameras and image storage capabilities in line with PCI SSC guidelines.
In addition, the paper suggests merchants understand and relay to their employees the "entire cable path from the terminal to the point where it leaves your merchant location" because fraudsters can infiltrate and hide devices anywhere within that path.
It is also incumbent on merchants to scrutinize their employees and vendors, which the PCI SSC realizes is a sensitive issue. But that staff and outside contractors are "targets" of fraudsters, either through "bribery or coercion," is an unfortunate fact, the supplement said.
Thorough background checks - if legal - should be employed on potential new hires. And procedures should be implemented to assure that service engineers who arrive on site to conduct terminal checks or provide other related services are who they say they are and have arrived at a previously specified time and date.
How vulnerable are you?
Russo stressed the value to mom-and-pop merchants of the supplement's two appendices. The first one helps merchants quantify what their risk levels are. More than two dozen questions posed to merchants are designed to evaluate whether merchants can be classified as low, medium or high risk to skimming attacks.
The second appendix is basically a checklist that allows merchants to document the details of their POS terminals and systems. "Take a picture of your device," Russo said. "What's the serial number? Where's it located? Where is the label? Is the label on the right side or the left side? So that when periodically somebody goes around and looks at these things to check them, they check them against this list to see if there's anything that looks different from what they had before."
Russo said it is good for business when ISOs and merchant level salespeople educate their merchants on how to protect against skimming attacks. "This [supplement] is certainly something that ISOs should be giving to their customers," he said. "This is a differentiator between a good ISO and somebody out there that is just trying to move equipment that they've got sitting up on the shelf."
The 25-page supplement is free for download at www.pcisecuritystandards.org/education/info_sup.shtml.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.