10 Tips to Thwart SkimmingBest Practices for Protecting ATMs and POS Terminals
#1. Deter Self-Service Terminal SkimmingPay-at-the pump skimming incidents are on the rise, prompting some convenience stores and gas stations to change the locks on the enclosures that house self-service pumps. The Pantry, a convenience store chain in the south, has opted to use an anti-tampering security tape. The Pantry spokesman Scott Yates says the tape seals the area on a fuel pump where criminals install skimming devices to steal card information. If the tape is tampered with, the word "Void" appears on the tape. The tape is monitored by employees periodically each day. The Pantry operates more than 1,600 convenience stores in 11 states.
#2. Respond Quickly to ATM SkimmingATM skimming has taken off anew, and security experts say any institution has to be ready for the crime. First, banking institutions should have an incident response plan in place to react quickly to ATM skimming attacks when they are detected. Plans should include everything from whom should be contacted to immediate actions that need to be taken by the institution. If a device is found, all employees should know what to do. Educate branch employees and third-party vendors, as well as ATM service providers. Make sure they are monitoring the outside of the ATMs for residue or devices.
#3. Use Layered Security ApproachBusinesses should install a series of security layers, ranging from not storing card data to tokenizing the data using an outsourced service provider, says Gartner Research analyst Avivah Litan. If data needs to be stored, all data should be encrypted, while in transit and at rest. Strong network segmentation and comprehensive configuration change controls also should be implemented. A whitelist approach to data access control, as well as a whitelist approach to data transfer routines and destinations, are among other measures Litan recommends.
#4. Increase Physical SecurityTo insert a skimming device, it is often necessary to remove a point-of-sale terminal from its location, or swap the existing terminal for another compromised terminal. Consider installing cable locks on POS terminals. Some have slots, so a cable lock can be attached to the terminal. This can then be threaded through the cable connecting the terminal to the cash register and then secured to prevent both the terminal and the cable from being compromised.
#5. Ensure PCI ComplianceMake sure all POS terminals comply with the Payment Card Industry Council's Derived Unique Key Per Transaction (DUKPT) standard. "Securely install terminals with unique hardware as a deterrent, and visibly inspect them, along with the registers, every day," says Mike Urban, senior director of global fraud solutions at FICO. Ensure all POS terminals are PCI compliant. Also, when any work is done on the devices, make sure it is done by an authorized service provider.
#6. Audit PIN Entry DevicesPCI security expert Anton Chuvakin says PEDs need to be checked on a regular basis, recording them and cross-checking the serial numbers. Retailers are recommended to follow PED Security Guidelines and review the condition and placement of internal closed circuit TV systems to cover all areas.
#7. Use CCTV to MonitorUse applicable lighting to support payment environments and CCTV monitoring capabilities as required. Ensure ATMs and self-service pumps are well illuminated and meet minimum physical requirements, as defined by the appropriate regulatory mandates. Cameras should be situated such that they record the area around the point of sale PED device, without actually being capable of recording any PIN number entered. Save the CCTV images for 90 days.
#8. Inspect All LocationsFrequently check the ATM fascia as well as the ATM's surroundings -- or those of external POS terminals -- ensuring nothing has been added or moved. Monitor the locations where ATMs and terminals are, especially if skimming attacks have been reported in the area. Have branch staff check these devices during off-hours as well as over weekends and holidays - all prime times for criminals to install skimmers.
#9. Set Common StandardsInclude visual standards for all ATMs and POS terminals, and maintain the standards at all branches or locations. Take a photograph of each machine, inside and outside. Show employees what the devices should look like, so when an ATM or POS terminal is quickly examined, employees readily recognize anything suspicious.
#10. Educate EmployeesSecurity-awareness training for all store and branch employees is a recommended place to start. Have a set of procedures for them to follow, says Dave Shackleford, a security expert at Sword & Shield, a computer and network security firm in Atlanta. Retailers should train staff to periodically check POS equipment, for instance, ensuring POS-device IDs still match, and no equipment has been swapped or changed.
More about Skimming:For more about anti-skimming, including our new timeline of 2010 skimming/POS incidents, please see: