In the wake of the Heartland-hacker nab, the Payment Card Industry Security Standards Council has unveiled new best practices for retailers that aim to help merchants defend themselves against the growing number of credit- and debit-card skimming scams.
According to an article in DarkReading, skimming is a growing problem for grocery stores, gas stations, convenience stores and other retailers and their customers, who are increasingly falling victim to compromised POS devices and ATMs.
Bob Russo, the general manager of the council, says skimming is a widespread problem:
These are guidelines for what retailers should be looking at with their reader devices. We discuss different techniques for protecting those point-of-sale devices.
But Chris Paget, a security researcher who himself fell victim to an ATM-skimming attack at the recent DefCon conference in Las Vegas, tells DarkReading that skimming attacks are a symptom of an already-broken system of credit and debit cards:
The concept of a 'credit card' as it exists today is the problem. If credit cards were cryptographic devices rather than just numbers, then none of these threats would be a problem. The technology exists to implement this today and to completely eliminate credit card fraud, but it seems there's too much money being made from fraud for the card issuers to care.
Paget says the PCI guidelines neglect to address two areas of potential fraud: a malicious merchant stealing the data, and equipment that is tampered with at the factory:
If the person you give your card to at a restaurant has their own card skimmer, you're just as vulnerable. (And the guidelines) do not address the case of legitimately purchased equipment that was tampered with at the factory, nor the case of a software-only addition to an ATM or card reader.
The PCI Council's "Skimming Prevention: Best Practices for Merchants" guidelines, include a risk assessment questionnaire and self-evaluation forms to help retailers gauge their risk. The guidelines detail how to identify a rigged reader and what to do about it.
