Issue 8 - January 2012
Addressing Card Skimming at the Point of Sale—PCI and EMV Chip Technology
Have you received a call recently from your credit or debit card issuer asking you to verify suspicious transactions, only then learning that your card data was compromised and used to make payments that you didn’t authorize? Or, even worse, have you found strange-looking charges on your card statement from merchants you’ve never heard of in locations you’ve never visited? If these scenarios are familiar, you are likely one of the growing number of victims of card skimming fraud. Card skimming occurs when the customer data contained in the magnetic stripe on a card is read through the use of special equipment that replaces or is attached to a merchant’s legitimate point-of-sale (POS) terminal. Once your information is extracted from the card, it is then electronically transmitted to criminals for illicit use.
PCI security compliance guidelines are designed to help merchants protect and secure customer card data. However, as illicit schemes such as hacking and card skimming become increasingly sophisticated, these guidelines will likely become less and less effective. The time has come for the payments industry to recognize the risk to the U.S. card payments system and the need to migrate to more secure and sophisticated card technology.
Visa’s Announcement to Accelerate EMV Chip Migration
A move to EMV  chip-enabled card payments could help the merchant community battle against payment card fraud. On August 9, 2011, Visa announced plans to accelerate chip migration and the adoption of mobile payments. The move to dual-interface chip technology is expected to create a more secure payment environment, which effectively reduces a criminal’s ability to harvest card data for making fraudulent card payments. Because the chip technology introduces dynamic values for each transaction, as opposed to the static data embedded in a magnetic stripe, the data is unusable even if compromised and replicated in a counterfeit card. It is important to note that some cardholder data in an EMV environment will be vulnerable in certain circumstances and will still require protection. Nevertheless, a move from magnetic stripe technology represents a quantum leap in the payments industry’s collective interest in combating payment fraud.
Discussions surrounding a U.S. move to EMV chip payments have been going on for some time as merchants, issuers, and the card networks have tried to sort out the challenges of such a migration—namely, the technology investment required for new card reader infrastructure and new card issuance. Visa’s announcement may well be a watershed event for managing the risk of card data compromise at the merchant’s POS.
Growing Incidence of Skimming Schemes
Cybercrime is a global problem today, contributing to a thriving black market for the exchange of cardholder data by large criminal organizations. Cybercrime takes many forms, but more recently criminals are shifting to card skimming as a means of perpetrating identity theft and payment fraud. Skimming fraud is considered by the U.S. Secret Service to be one of the most significant problems facing the credit card industry today. The past two years in particular have seen a dramatic upswing in the incidence of skimming breaches by international crime rings.
The proliferation of illegal skimming equipment and the continued use of outmoded magnetic stripe card technology have created an environment in which harvesting card data is a commoditized illicit activity. Black markets exist on the web for the sale of equipment and exchange of harvested data. Many of these schemes are difficult to detect until they’ve already wreaked considerable damage in the form of countless fraudulent transactions. Criminals can use the data to make purchases right away over the phone or the Internet in card-not-present transactions, or they can use it to make counterfeit cards, or they can sell the information on the black market.
Card skimming can happen in a number of ways, typically at an ATM or other unattended POS terminal. Fuel dispensers are common crime sites, and so are stand-alone or hand-held terminals in the store. One of the simplest of these schemes occurs in restaurants when someone on the wait staff takes the customer’s payment card to execute the meal charge—and makes an illegal swipe of the card data for sale to an outside party for illicit use. More sophisticated and complex schemes are emerging as fraudsters take advantage of more advanced technology like wireless communications to transmit the skimmed card data to remote crime ring operatives. In many cases, the fraud involves tampering with the retailers’ POS terminals using hardware components that mimic or overlay existing card acceptance hardware that is used to read the card data during the transaction.
The problem, ultimately, lies in the fact that the U.S. payment card systems use magnetic stripe technology, which is inherently vulnerable to skimming. This sad truth becomes especially clear when we compare the numbers to chip-based card technologies. The United States is the last developed country to consider the migration to a chip technology-based payment card system, well behind the United Kingdom, Canada, and other countries. Payment fraud in these countries dropped precipitously following implementation of the chip-based technology. Data contained in the magnetic stripe on the back of the payment card is much easier to compromise than the data contained in a semiconductor chip
According to the Identity Theft Resource Center, the bulk of banking-related data breaches in 2010 were attributed to insider theft, cyber attacks, or card skimming schemes. Of all of these illicit activities, card skimming schemes are proving to be the most common, as evidenced by several recent high profile cases. In general, fuel dispenser terminals and ATMs are the most frequently attacked because of the absence of human interaction.
In some cases, inadequate oversight or employee collusion may introduce the risk of terminal tampering. For example, in May 2011, the Michaels craft-store chain reported that stores within a 20-state region had fallen victim to a payment-card-stealing scheme as a result of terminal tampering. Several hundreds of legitimate POS devices were replaced by illicit equipment designed to skim and transmit the card data. The case, which is under investigation by the Secret Service, has resulted in litigation against the retailer.
A similar retailer skimming case involved Hancock Fabrics. In this instance, criminals stole the legitimate PIN pads in August and September 2010, replacing them with visually identical—albeit fraudulent—units that were used to intercept information on the card and capture the PIN as it was entered during the transaction.
The rise in reports of skimming at fuel terminals led to an announcement on August 12, 2011, by the National Association of Convenience Stores (NACS). NACS reported that the theft trends of debit and credit card data at pay-at-the-pump terminals have grown to epidemic proportions. Again, PCI guidance for controls for gas pumps—such as tamper-evident labels to mitigate and detect criminal interference—is somewhat effective but certainly not fool-proof. Criminals find the weakest link by looking for the merchant with the weakest control environment. Still, PCI-compliant merchants are not necessarily fully protected from terminal tampering.
Magnetic-stripe Fraud a Global Problem
The vulnerabilities inherent in magnetic-stripe technology are expected to contribute to ongoing skimming attacks in the near future, not to mention the associated credit and debit card losses. Other countries, including Canada and many in Europe, that have converted to the EMV chip technology standard have effectively mitigated skimming.The incidence of skimming in the United States exceeds that in the rest of the world.  Payment frauds like this have become a mainstay of global crime rings that recognize the United States as one of the last holdouts on more secure chip-enabled card payments.
New security issues are likely to emerge while the United States continues to rely on magnetic stripes. We could see stolen credit and debit card credentials, which are available on black market websites, funding terrorist operations, for example.
What is more, the United States may be culpable in exporting fraud overseas as foreign card issuers retain the magnetic-stripe technology along with the EMV chip on the card to accommodate customers who use their payment cards during U.S. travel. Likewise, overseas merchants may prolong the acceptance of magnetic stripe card payments to accept transactions from U.S. travelers. However, many merchants in European countries are already beginning to refuse acceptance of magnetic stripe card payments, especially at POS terminals.
Many consumers, who face the uncertainty of having their cards accepted abroad and who understand their vulnerability to card fraud and data compromise when traveling, have demanded chip-enabled payment cards from their bank issuers or purchased prepaid chip cards such as those issued by Travelex. In fact, many U.S. banks have begun to issue chip cards to customers who travel frequently.
PCI Guidelines for Mitigating Skimming
The PCI Council has continued to advance security standards for preventing data breaches and protecting consumers. The council’s primary mission is to safeguard payment data and the systems that process that data. Recognizing the need to guard against the increased threat of skimming incidents, the PCI Security Standards Council issued in August 2009 an information supplement titled “Skimming Prevention: Best Practices for Merchants.” This guide provides information on how skimming schemes are perpetrated so merchants are better armed against them.
The “Best Practices” supplement notes that cards offer criminals two primary sources of information: the account data in the magnetic stripe and the PIN data. Criminals use a combination of increasingly sophisticated software and hardware to manipulate payment terminals and compromise that data. The skimming device equipment is generally hidden within the payment terminal so it cannot be detected by merchants or consumers. In some cases, the skimming equipment is embedded in a bogus PIN-pad device. These devices can both access the data embedded in the magnetic stripe and record the keystrokes.
These PCI guidelines have promoted advances in how the industry addresses card data security. But, unfortunately, in many ways the PCI guidelines are necessary because of the continued reliance on outdated, static magnetic-stripe technology. Chip technology that enables either contact or contactless card payments, near-field communication (NFC), or payments in the mobile channel all introduce dynamic data that is difficult for criminals to skim and clone.
Among the guidelines and best practices the supplement offers for preventing skimming are advice to merchants to assess the physical security and operational controls supporting their retail locations and POS environment. Also included are suggestions for protecting terminal environments, including vendor controls, access controls, and monitoring equipment such as cameras, recording equipment, and lighting.
The PCI Security Standards Council has developed guidelines for retailers to protect POS card readers from card skimming, including how to detect device tampering. As schemes become increasingly sophisticated, however, these guidelines will likely become increasingly less effective—a possibility that should give the industry even more reason to migrate to chip card technology.
The mobile channel as a use case for EMV chip payments
In March 2011, the Federal Reserve released a position paper titled “Mobile Payments in the United States: Mapping Out the Road Ahead.” This document represents the collective views of the mobile payments industry in identifying the fundamental components of success for establishing a secure and interoperable mobile ecosystem. Specifically, it says that the mobile infrastructure would likely be based on NFC contactless technology and that some form of dynamic data authentication would be at the heart of a layered mobile payments security and fraud mitigation program. The paper envisions that the mobile channel will be accessed by a mobile wallet permitting all forms of retail payments. However, the near-term inevitability of mobile card payments coupled with the critical need for better security in card payments is creating momentum for the adoption of mobile payments.
Visa’s announcement of its move to EMV contact and contactless technology is intended to encourage adoption so the United States can be better prepared for the arrival of NFC-based mobile payments. By catalyzing the merchant and card-issuing community to migrate to chip-based payments and build the infrastructure necessary to accept and process chip-based transactions, the industry hopes to push consumers into adopting secure, interoperable mobile payments more quickly.
Visa’s Plan Provides PCI Validation Relief
Visa’s plan states that it will “eliminate the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75 percent of the merchant’s Visa transactions originate from chip-enabled terminals.” Further, the merchant terminal infrastructure must be able process the additional data included in chip transactions versus magnetic stripe. The plan institutes a liability shift for counterfeit card transactions from the card issuers to the merchants. Currently, the United States is the only country that has not agreed to a liability shift associated with chip-enabled payments.
Merchants will still be responsible for fully complying with the PCI Data Security Standard, in the sense that they should not store sensitive data authentication codes or PINs. The prospect for improved protection from card skimming schemes and the associated reputational risk along with the reduced PCI compliance validation costs should be welcome benefits to merchants.
The large number of card networks and payment card issuers in the United States has challenged efforts to establish a coordinated migration to EMV chip-enabled payments. Because merchants bear the financial burden of investing in terminal infrastructure, their needs further complicate industry migration. The merchant community understandably wants a future-proof investment strategy for POS technology. A number of issues will no doubt stir debate, including the option of signature or PIN authentication and whether other card networks will even follow Visa’s course. Still, the recent Visa announcement represents a move beyond the status quo and, we hope, in the right direction.
 EMV, the acronym for Europay, MasterCard, and Visa, is the global standard for interoperable chip payment card security and authentication.