Tuesday, December 18, 2012

Skimming Cards at the POS

When I am named emperor of PCI, I will require every card merchant (including on every campus) to physically inspect each POS device regularly for evidence of tampering.  The PCI Council provides guidance and examples in its Skimming Prevention: Best Practices for Merchants information supplement (in the Information Supplements section).  Personally, I think it is possible that such physical inspections could be included in the revisions to PCI 3.0 and the SAQs in 2013.

In the meantime, there is no need to wait until it is required.  You can start doing it now.

I am reminded of this whole topic by the post in Brian Krebs' blog describing fake/compromised POS devices used by criminals to steal card data.  At least one criminal is selling compromised POS devices -- including top-of-the-line cellular-based wireless devices -- that capture the mag stripe, and print a receipt, but never actually complete the transaction.

This scam is not new.  I remember stories during my time at Visa about merchants who "sold" goods for the sole purpose of collecting payment card data.  Customers were surprised they never saw the charge for the t-shirt or other tchotchke on their account statements.  The reason was that the "merchant" never had any intention of charging their card -- they were just skimming the stripe.  Giving away the merchandise was a minor cost of doing business.

The difference today is that the scam is getting more sophisticated.

So some advice for everyone is:

  • Check your own POS devices for evidence of tampering regularly (monthly?  weekly?).  What is a good practice today may be required by PCI tomorrow.    
  • Contact your issuer if you buy merchandise and no charge appears on your statement (no, you didn't get a special deal...you possibly were scammed).  And if you used a debit card (eek!), get very, very worried.  
  • Never, NEVER get POS devices from anybody but your acquirer.
Oh, and I almost forgot.
  • Continue to monitor security websites other sources of information (like the list of blogs on the right) to stay current.  

No comments:

Post a Comment