Skimming Alert for POS Devices

Skimming is a form of embezzlement in which the perpetrator secretly copies financial data stored on a payment card, including the account number and PIN.  

Main Content

Skimming Alert for POS Devices

May 31, 2017

Skimming Alert for POS Devices

Skimming is a form of embezzlement in which the perpetrator secretly copies financial data stored on a payment card, including the account number and PIN.  They then load it onto a counterfeit card that is used for unauthorized transactions. Typical targets of skimmers are unattended points of sale like gas pumps, ATMs, kiosks and self-checkout lanes where they install a small skimming device on or in the legitimate payment device. Alternatively, dishonest employees can use a hand-held skimming device to swipe an unsuspecting customer’s card while it is out of their sight, as happens in many restaurants that don't offer a tableside payment option.

Visa® recently issued a security alert about an uptick in skimming instances, particularly at businesses that are still using payment devices that have not been upgraded to accept EMV® chip cards. It noted that the perpetrators are highly mobile, targeting multiple stores within a geographic area for a period of time before moving on to a new location. Additionally, some skimming devices are Bluetooth®-enabled, allowing the suspects to recover payment card data from a distance.

Visa advises that merchants fight back by following security controls to protect POS and PIN entry devices (PED) from tampering and substitution. Recommendations include:

  • Maintain a list of devices, including the device serial number or other method of unique identification.
  • Keep a list of device location either by store or physical location within the store itself.
  • Train staff to be aware of suspicious behavior and to report device tampering or substitution.
  • Use approved PEDs, follow Visa’s PED usage and retirement mandates and comply with Visa’s mandatory PED sunset dates.
  • Be aware of who has access to your payment terminals, including anyone who claims to be repair or maintenance personnel. Verify their identity before giving them access to your devices.

Visa also recommends that business owners physically inspect their POS and PIN entry devices at least twice daily and at random times. For example, it notes that skimming devices are typically attached with minimal adhesive that allows them to be place and removed easily. Grabbing or pulling the front of the POS/PED may quickly determine if tampering has occurred. Likewise, a missing seal or screw or extra wiring or holes could help uncover a fraudulent device.

"When inspecting devices, use backup security personnel to monitor from a distance as suspects may watch compromised terminals and suspects are trained in counter surveillance to avoid detection/arrest," Visa notes in its alert.

At gas pumps, skimming devices can be detected by following the ribbon tape that is inside the pump self. All connectors should be in use. If factory connections are not plugged in, the pump should be inspected further. Gas pumps should also be inspected for any devices that may be sealed in shrink wrap or electrical tape as most of the skimming devices we are aware of are secured in that manner.

Finally, if a skimming device is discovered, Visa advises that you do not handle it so that evidence can be preserved. Notify local law enforcement or the FBI or U.S. Secret Service office so they can properly recover the device. Maintain any video surveillance that may be used to identify the perpetrators and to confirm the time that the device was placed on the terminal. Notify your merchant services provider so that Visa can assist with the investigation, and review security procedures to identify any gaps that allowed the skimming incident to occur and make necessary changes to protect payment data.

EMV is a registered trademark or trademark of EMVCo LLC in the United States and other countries.

Contact Us
About Our
Merchant Services

Get Started Now:

After you have submitted your information, a TSYS representative will contact you within the next 24 hours.
All fields are required to submit form. Your information is private and secure. We do not accept adult businesses