European card issuer publishes latest security plans for retailers to protect themselves against “skimming” attacks, by criminals who attempt to modify point-of-sale terminals

European card issuer publishes latest security plans for retailers to protect themselves against “skimming” attacks, by criminals who attempt to modify point-of-sale terminals

Visa Europe today issued the latest addition to its security guidance series on system vulnerabilities.

It said “Device Skimming: Attacks and Defence” is based on industry best practices to help retailers protect payment systems and limit the likelihood that they will be the victim of skimming attacks.

Skimming attacks involve criminal gangs who attempt to modify point-of-sale (PoS) terminals by fitting them with equipment that captures card information and potentially customer’s PIN numbers while the card is being processed. Visa Europe has developed a set of best practice guidelines to mitigate the risk of skimming attacks to assist retailers.

Managing people and process

Effective management of PoS devices and increased vigilance can significantly reduce the likelihood of skimming attacks being successful, the payment provider said. And following its set of guidelines will help make the payment system more secure. Visa Europe recommends that all of the guidelines should be followed in order to form a layered approach to system defence.

It said retailers should perform a thorough examination of payment acceptance devices on a regular basis to identify whether the device has been altered or tampered with, including signs like missing seals or screws, extraneous wiring, holes in the device or additional labels used to mask damages.

It also advised that retailers should familiarise themselves with the environment in which payments systems are operating and be aware of any additional or unknown items that appear in the vicinity of the device. Many criminals use the areas surrounding PoS devices to install cameras to record customer PIN entry details. Retailers can use CCTV to deter criminals and help to protect the security of PoS devices, it said. And cameras should be positioned to monitor the location of devices and not record PIN entry at the device.

By securing their devices to prevent their substitution and protect against tampering, retailers can, where possible, protect cables connecting the terminals using a conduit or hold them within a physically secure structure. But it also pointed out that this should be carried out in accordance with relevant disability legislation for the country in which the device is deployed.

Vigilant and standardised defences

Implementing employment policies to ensure that appropriate background checks are carried out on employees who will be handling the devices was another step identified by the Visa guidelines. And employees should also be made aware of their responsibilities to protect PoS devices, trained to validate the identity of all payment systems repair technicians and exercise vigilance to spot possible attacks.

Lastly, it stressed that retailers should be using Payment Card Industry (PCI) Security Standards Council (SSC) approved devices.

Stanley Skoglund, senior vice president of payment system risk at Visa Europe, said: “Skimming attacks are becoming increasingly sophisticated. Fraudsters operate in organised groups around the world and attacks are often difficult to detect. Visa Europe does not tolerate activities that undermine the integrity of the payment system as this has an impact on the trust that consumers have in your business. By taking an active stance, Visa Europe’s guidelines highlight proactive steps that retailers can take to ensure acceptance of card payments take place in a safe and secure environment and reinforce consumer trust.”