Credit Card Skimming

Why it happens and how to prevent it

If you’re a retailer, you’re probably familiar with the term “skimming.” Perhaps you and your customers have already been victimized and you’re looking for ways to prevent it.  

Main Content

Credit Card Skimming at the Point of Sale

Nov 27, 2017

Credit Card Skimming

Why it happens and how to prevent it

If you’re a retailer, you’re probably familiar with the term “skimming.” Perhaps you and your customers have already been victimized and you’re looking for ways to prevent it. Either way, it’s important to recognize that credit card skimming is on the rise. Know too that it’s especially common wherever point-of-sale (POS) devices are regularly unattended, like self-checkout stations at grocery stores.

The good news is that there are simple steps you can take to foil the efforts of fraudsters, who count on merchants remaining inattentive.

What is Credit Card Skimming?

As we noted in the TSYS® Guide to Credit Card Skimming: How to Spot and Avoid Fraudulent Charges, skimming “involves stealing card account data during a legitimate transaction…. [The data] is then transferred to a duplicate card to make fraudulent purchases without the knowledge of the cardholder.”

While credit card skimming can occur in a variety of ways, the most common scenario involves one or more fraudsters installing a skimming device (card reader) on a gas pump or other POS device, which captures credit card information when the consumer attempts to complete a transaction. Then “the thieves retrieve the information through a wireless transmission or by physically removing the skimmer,” relates our Guide.

Why is Credit Card Skimming on the Rise?

Earlier this year, Visa® issued a security alert about an uptick in skimming, “particularly at businesses that are still using payment devices that have not been upgraded to accept EMV® chip cards.” As you may know, a large percentage of retailers have upgraded to EMV-enabled POS devices in the wake of the EMV liability shift (October 2015), as “businesses that are unable to support chip cards can be  held financially responsible if a fraudulent transaction occurs.”

But because EMV technology has resulted in drastic reductions in card-present fraud, bad actors have stepped up their skimming attacks in places where EMV technology is often not yet in place. Fraudsters also like to target POS devices that are frequently unattended, like self-checkout stations at supermarkets and grocery stores, as well as fuel pumps at gas stations (which have POS devices that are difficult to upgrade). Making matters worse, skimming devices have become easy to come by (they are inexpensive and can be purchased online), and the technology has improved to the point where they can be very difficult to detect.

How to Prevent, Mitigate the Damage from Skimming Attacks

Understanding the modus operandi of a typical fraudster is helpful is understanding how to prevent skimmer attacks. As Visa noted in its June 2016 Webinar Threat Landscape: Skimming at the Point of Sale, fraudsters typically operate in groups of two to three, with one individual placing the device and the other(s) providing cover and/or acting as a lookout. “Suspects may scout a location prior to placing a device so be aware of individuals that appear out of place,” advises Visa.

It’s also vital to take inventory of your POS devices daily. Per our aforementioned Guide, “Be suspicious if you see anything loose, crooked or damaged, or if you notice scratches or adhesive/tape residue…. Be on the lookout for electronic devices that have been added to the standard card reader or any other modification that may be apparent.” You may want to add unique markings/stickers to your devices to help you recognize whether any overlays have been added. Finally, you may want to consider a switch to contactless card readers, which reduce the risk of card data being skimmed as there is no dip or swipe.

What to do if you find a Skimming Device

If you find a skimmer during a daily audit, Visa’s Webinar advises documenting what you’ve found before removing the device. That is, take pictures of the skimming device (as installed), then take pictures post-removal and document the date and time. Also, “use protective gloves to remove the device [as] criminals may leave DNA on the device” and store it securely in a protective bag. Last but not least, contact local authorities and the U.S. Secret Service, the latter of which is responsible for investigating this type of fraud.

An Additional Layer of Protection from Skimming

Even your best efforts might not keep you from becoming a victim of skimming. That’s why TSYS offers a Data Breach Security Program, which helps our customers meet the expenses associated with a suspected or actual breach of credit card data. Coverage includes a forensic audit (as required by the Payment Card Industry Data Security Standard whenever a data breach is suspected), as well as fines, assessments and other expenses related to a breach. To talk to a TSYS representative about our Data Breach Security Program call us at 1.888.845.9457.

Read  What Merchants Can Do To Keep Processing Safe to learn more about how to protect yourself and your customers from fraud.

Contact Us
About Our
Merchant Services

Get your Free Quote, Now!

After you have submitted your information, a TSYS representative will contact you.

All fields are required to submit form. Your information is private and secure. We do not accept adult businesses

Customer Support Form