In December, Visa published a Security Alert warning of an increasing fraud threat, as the U.S. EMV migration continues, from “criminals placing skimming devices on or in attended and unattended point-of–sale (POS) devices for the purpose of collecting payment card information, including PIN numbers”.
The PCI DSS addresses this threat by requiring businesses operating face to face (card present) card readers and payment terminals (those that come into contact with customer payment cards) to periodically inspect those devices.
Those inspections are intended to counter that fraud threat. Merchants need to check that the card readers or payment terminals haven’t been substituted for counterfeit devices or tampered with by criminal’s intent on capturing the payment cards’ details at the point of sale as the merchant takes payment from their customers.
Recommendations for your customers
The Visa guidance points out that any accessible payment terminal is at risk, not just retail counter-top terminals. In particular, those that are unattended and unsupervised by staff, such as self-checkout terminals, automated fuel dispensers, kiosks and vending machines. We recommend you remind you customers of their obligation to protect all devices used for card present payments to counter this increasing threat.
In particular, warn your customers in the fuel & forecourt sector to step up their protection and inspection activities as criminals are targeting gas stations and pay-at-pump payment terminals. According to a recent report, issuers expect the growth of skimming at gas pumps to pick up in the year ahead.
To help you advise your customers, below we highlight the guidance and resources available to your merchant businesses to help them protect their card readers and payment terminals from criminals attempting devices substitution or insertion of card skimmers.
The actions include: maintaining a detailed inventory of all card readers and terminals; completing regular inspections of the devices for signs of tampering and substitution; and security awareness training for point of sale staff to make sure they keep a watch for suspicious behaviour around the devices and know to report suspected tampering or substitution.
- Visa’s recommended Inspection & Response Actions
- The UK Cards Association’s security guidance for card acceptance devices
- The PCI SSC Skimming Resource Guide
Education is the key and making sure all staff members know what to look for is the most effective way of ensuring that devices are protected from tampering and substitution. In the following video that we recommend you share with your customers, ‘Protecting your card reading devices’ we provide 6 suggestions of what to look out for when inspecting a card reader.
If you are a merchant that requires technical or PCI DSS help, please click here
You may be also interested in this article: