10 Tips to Thwart Skimming

Best Practices for Protecting ATMs and POS Terminals
10 Tips to Thwart Skimming
The keys to thwarting card skimming can be summed up in four ways - layered security, monitoring, system audits and education. Here are 10 best practices to follow in securing ATMs and point-of-sale devices at financial institutions and retail locations.

#1. Deter Self-Service Terminal Skimming

Pay-at-the pump skimming incidents are on the rise, prompting some convenience stores and gas stations to change the locks on the enclosures that house self-service pumps. The Pantry, a convenience store chain in the south, has opted to use an anti-tampering security tape. The Pantry spokesman Scott Yates says the tape seals the area on a fuel pump where criminals install skimming devices to steal card information. If the tape is tampered with, the word "Void" appears on the tape. The tape is monitored by employees periodically each day. The Pantry operates more than 1,600 convenience stores in 11 states.

#2. Respond Quickly to ATM Skimming

ATM skimming has taken off anew, and security experts say any institution has to be ready for the crime. First, banking institutions should have an incident response plan in place to react quickly to ATM skimming attacks when they are detected. Plans should include everything from whom should be contacted to immediate actions that need to be taken by the institution. If a device is found, all employees should know what to do. Educate branch employees and third-party vendors, as well as ATM service providers. Make sure they are monitoring the outside of the ATMs for residue or devices.

#3. Use Layered Security Approach

Businesses should install a series of security layers, ranging from not storing card data to tokenizing the data using an outsourced service provider, says Gartner Research analyst Avivah Litan. If data needs to be stored, all data should be encrypted, while in transit and at rest. Strong network segmentation and comprehensive configuration change controls also should be implemented. A whitelist approach to data access control, as well as a whitelist approach to data transfer routines and destinations, are among other measures Litan recommends.

#4. Increase Physical Security

To insert a skimming device, it is often necessary to remove a point-of-sale terminal from its location, or swap the existing terminal for another compromised terminal. Consider installing cable locks on POS terminals. Some have slots, so a cable lock can be attached to the terminal. This can then be threaded through the cable connecting the terminal to the cash register and then secured to prevent both the terminal and the cable from being compromised.

#5. Ensure PCI Compliance

Make sure all POS terminals comply with the Payment Card Industry Council's Derived Unique Key Per Transaction (DUKPT) standard. "Securely install terminals with unique hardware as a deterrent, and visibly inspect them, along with the registers, every day," says Mike Urban, senior director of global fraud solutions at FICO. Ensure all POS terminals are PCI compliant. Also, when any work is done on the devices, make sure it is done by an authorized service provider.

#6. Audit PIN Entry Devices

PCI security expert Anton Chuvakin says PEDs need to be checked on a regular basis, recording them and cross-checking the serial numbers. Retailers are recommended to follow PED Security Guidelines and review the condition and placement of internal closed circuit TV systems to cover all areas.

#7. Use CCTV to Monitor

Use applicable lighting to support payment environments and CCTV monitoring capabilities as required. Ensure ATMs and self-service pumps are well illuminated and meet minimum physical requirements, as defined by the appropriate regulatory mandates. Cameras should be situated such that they record the area around the point of sale PED device, without actually being capable of recording any PIN number entered. Save the CCTV images for 90 days.

#8. Inspect All Locations

Frequently check the ATM fascia as well as the ATM's surroundings -- or those of external POS terminals -- ensuring nothing has been added or moved. Monitor the locations where ATMs and terminals are, especially if skimming attacks have been reported in the area. Have branch staff check these devices during off-hours as well as over weekends and holidays - all prime times for criminals to install skimmers.

#9. Set Common Standards

Include visual standards for all ATMs and POS terminals, and maintain the standards at all branches or locations. Take a photograph of each machine, inside and outside. Show employees what the devices should look like, so when an ATM or POS terminal is quickly examined, employees readily recognize anything suspicious.

#10. Educate Employees

Security-awareness training for all store and branch employees is a recommended place to start. Have a set of procedures for them to follow, says Dave Shackleford, a security expert at Sword & Shield, a computer and network security firm in Atlanta. Retailers should train staff to periodically check POS equipment, for instance, ensuring POS-device IDs still match, and no equipment has been swapped or changed.

More about Skimming:

For more about anti-skimming, including our new timeline of 2010 skimming/POS incidents, please see:

Managing Editor Tracy Kitten begin_of_the_skype_highlighting     end_of_the_skype_highlighting contributed to this report.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.