The landscape of credit card fraud is constantly evolving, with criminals devising increasingly sophisticated methods to steal customer financial information. For merchants, these evolving threats pose a significant challenge, demanding a proactive approach to data security. Two particularly concerning methods are credit card skimming and shimmering, both capable of compromising sensitive information and eroding customer trust.

This post delves into the world of credit card skimmers and shimmers, outlining their threats and the measures merchants can take to fortify their defenses. By understanding these evolving threats and implementing robust security protocols, businesses can significantly reduce their vulnerability to credit card fraud and maintain a secure payment environment for their customers.

Skimmers vs. Shimmers: Understanding the Devices

• Skimmers: These are physical attachments typically installed over the card reader slot of ATMs, gas pumps, or point-of-sale terminals. Their primary function is to capture the magnetic stripe data on the back of your card when inserted. With the widespread adoption of EMV chip technology, skimmer use is on the decline, as they are unable to steal chip data.
• Shimmers: These electronic devices are far more sophisticated than skimmers. These wafer-thin devices are inserted inside the card reader itself, targeting the data contained within the EMV chip, the supposedly more secure alternative to the magnetic stripe. The stolen data can then be wirelessly transmitted to a nearby device controlled by the criminal.

While neither skimmers nor shimmers can steal a customer’s PIN, the information they capture can be used to create counterfeit cards for fraudulent transactions. A data breach of this nature can have a devastating impact on your business, leading to financial losses, chargebacks, and a damaged reputation. Furthermore, the knowledge that their financial information may have been compromised can severely erode customer trust, potentially impacting future sales.

PCI DSS Compliance: Your First Line of Defense

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements designed to ensure the secure handling of cardholder information. Compliance with PCI DSS is mandatory for all merchants that accept credit card payments. Requirement 9 of PCI DSS specifically focuses on safeguarding card readers from tampering.

One of the key provisions within PCI DSS requirement 9.5.1.2.1 mandates the use of anti-tamper devices (ATDs) on all point-of-sale terminals. ATDs are designed to detect any unauthorized modifications to the card reader, including the installation of a skimmer or shimmer. By employing ATDs, merchants can significantly reduce their vulnerability to physical tampering.

Beyond ATDs: A Layered Approach to Security

While ATDs are a crucial element of your security strategy, a layered approach is essential to combat skimming and shimmering truly. Here are some additional security measures recommended by PCI DSS and industry experts:

• Regular Inspections: Conduct thorough visual inspections of your point-of-sale terminals to check for signs of tampering. Look for loose components, glue residue, or scratches around the card reader slot. Documenting these inspections is also a good practice.
• Tamper-evident Seals: Utilize tamper-evident seals on card readers for an extra layer of security. These seals leave a visible mark if the device is tampered with, alerting you to potential security breaches.
• Software Updates: Maintain up-to-date software on point-of-sale terminals to patch vulnerabilities that criminals might exploit. Promptly install all recommended software updates from your terminal providers.
• Employee Training: Empower your employees with the knowledge to identify suspicious activity. Training programs should educate staff on how to spot skimmers and shimmers, and what procedures to follow if they suspect a device has been tampered with. This should include clear guidelines on what to do if a customer reports a potential skimming attempt.
• Promote Contactless Payments: Whenever possible, encourage customers to use contactless payment options like tap-to-pay. These methods do not require inserting the card into the reader, reducing the vulnerability to skimming devices.

According to Chargebacks911, stolen data from shimmers can still be used to create counterfeit magnetic stripe cards. While chip technology provides an extra layer of security, remaining vigilant and implementing these additional security measures is crucial for merchants.

By adhering to PCI DSS requirements and adopting a comprehensive security approach, merchants can significantly bolster their defenses against credit card skimming and shimmering. Remember, protecting customer financial information isn’t just about compliance; it’s about building trust and fostering long-term customer loyalty. By demonstrating a commitment to data security, you can create a secure payment environment that reassures your customers and helps your business thrive.

AccessIT can help you to understand how to protect your company from these threats, our team of QSA’s understand the new PCI DSS requirements and help you to navigate these and get you compliant.

By: Chad Barr – Director of Governance, Risk & Compliance – CISSP | CCSP | CISA | CDPSE | QSA