PCI update: Skimming Prevention – Best Practices for Merchants

PCI Security Standards Council Information Supplement: Skimming Prevention – Best Practices for Merchants
PIN Transaction Security Program Requirements and PCI Data Security Standard
Date: August 2009
Author: PCI SSC PIN Transaction Security Working Group

Skimming is the unauthorized capture and transfer of payment data to another source, for fraudulent purposes. PCI SSC created this document to assist and educate merchants regarding security best practices associated with skimming attacks.

This document contains a non-exhaustive list of security guidelines that can help merchants to:
• Be aware of the risks relating to skimming.
• Be aware of the vulnerabilities inherent the use of point-of-sale terminals and terminal infrastructure.
• Be aware of the vulnerabilities associated with staff that has access to consumer payment devices.
• Prevent or deter criminal attacks against point-of-sale terminals and terminal infrastructure.
• Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack.

Best practices and security guidelines for the prevention of skimming are based on successfully established countermeasures as identified by the merchant community, and known criminal activity as observed and investigated by the payment industry and law enforcement.

Guidelines and best practices fall within three major areas.
• Merchant Physical Location and Security: Many merchants have realized the benefits of operational and physical security countermeasures that not only provide a consistent brand image and transparent consumer experience, but also have the necessary physical security and operational controls required to support their retail locations and POS environment.
• Terminals and Terminal Infrastructure Security: Leveraging PCI SSC standards and approved devices should be considered a core component of any terminal security effort. Merchants should make every effort to leverage and use the controls, standards, and devices, already established by PCI SSC for the protection of devices and data at the point of sale. The guidelines and recommended practices we provide complement those standards.
• Staff and Service Access to Payment Devices: Employee and staff conduct should be a critical concern to all merchants, specifically in the processing of payment data and services.

For more details, please download and review this PCI SCC information supplement.
PCI Skimming Prevention Best Practices