Skimming: Criminals' Tech Improving

PCI's King Says Employee Training Is Best Line of Defense

By , January 4, 2011.
Skimming: Criminals' Tech Improving


See Also: Risk Based Approaches to Data Protection

he Payment Card Industry Data Security Standards Council is addressing card skimming concerns. But security standards and guidance can only go so far, says Jeremy King, European regional director for the PCI Security Standards Council.

King says skimming techniques are evolving. While anti-skimming solutions and security mandates, such as the PCI Data Security Standard, are having an impact, merchants and financial institutions have to focus on employee training. "The criminals tend to come in and target a particular store or gas station, and they'll target it very quickly," he says. "Good training of the staff has identified very quickly a new skimming attack. ... The training can work and does work."

During this interview, King discusses:

  • International steps the PCI Council is taking to educate merchants, card issuers and networks about enhanced card-skimming protection and techniques;
  • International payments and the possibility of a U.S. move to EMV or a chip-based mobile alternative;
  • Future card-skimming trends.

King is the European regional director for the PCI Security Standards Council, leading the SSC's efforts to increase adoption and awareness of PCI security standards in Europe. King's responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip-card security programs. He also spent more than 14 years working in the United Kingdom semiconductor industry and has a strong background in emerging technologies, including contactless cards, encryption and mobile payments.

The Global Fight

TRACY KITTEN: Card skimming is a growing global fraud concern, but industry leaders are taking steps to address card skimming in the U.S. and abroad. Jeremy King, European regional director for the PCI Security Standards Council, shares his views about skimming trends and the steps the PCI Council is taking to help merchants and financial institutions ensure better card security.

Jeremy, card skimming is not a new problem, but one that continues to plague the industry. What are some of the card skimming trends you're seeing in Europe and other parts of the world, and what steps is the PCI Council taking to address those trends?

KING: I think the interesting issue is that we are moving away from individual people trying to introduce card skimming devices into terminals, and moving toward organized crime. The impact organized crime is having is that they bring improved technology. So, we are seeing an increased use of high technology, both from the creation of the skimming devices and the implementation and use around the world, and it is a global problem.

Just a quick recap, card skimming is really a method of illegally collecting cardholder data in order to use that data to perform fraudulent transactions. In the past, we've seen this being used against various devices, both to point-of-sale devices, ATMs and unattended terminals. From the PCI's perspective, we've been tackling this threat in a number of ways, primarily with the introduction in 2005 of the first point-of-interaction/point-of-sale security standard, and that is all about improving the security of terminals to prevent criminals being able to gain access to insert skimming devices into these types of devices. In 2008, we widened that to include unattended terminals, so we have a standard for those sorts of devices.

The other area that we are using to help counter this challenge is that we released a guideline for merchants on anti-skimming best practices; although we can improve the actual security of the terminals themselves, improving the awareness of merchants and their staff on how to see and detect whether their terminals have been tampered with is of great importance when it comes to tackling the issue.

The Lingering Mag-Stripe

KITTEN: In the United States, the continued reliance on magnetic-stripe card technology has posed problems, not just for U.S. cardholders, but for cardholders the world-over. How has the lingering mag-stripe fed card skimming trends that you're seeing in other parts of the world?

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FFIEC Issues Cyber-Resilience Guidance

New business continuity guidelines from the Federal Financial Institutions Examination Council...

Latest Tweets and Mentions

ARTICLE FFIEC Issues Cyber-Resilience Guidance

New business continuity guidelines from the Federal Financial Institutions Examination Council...

The ISMG Network