The Payment Card Industry Security Standards Council is providing updated guidance for merchants to protect against fraudulent card skimming, which it says costs U.S. businesses and consumers $8 billion a year.
The "best practices" guidance outlines how to identify both physical and logical risks related to skimming, the council stated in a Sept. 10 press release. The council maintains the PCI data security standards, which describe how companies must protect card data they handle.
In addition, the guidance illustrates how to evaluate and understand the vulnerabilities inherent in the use of point of sale terminals and payments infrastructure, as well as with the staff that has access to consumer payment devices. The guidance also aims to help organizations identify any compromised terminals.
Skimming is commonly associated with external electronic devices on ATMs, but it can compromise many different payment forms, the council said. Skimming attacks can take place at POS terminals or over wireless networking technologies such as Bluetooth and WiFi; it can also affect EMV-chip cards, the council added.
"Skimming is highly profitable and appeals to a wide range of criminals because it allows them to capture massive amounts of data in a short amount of time, with low risk of detection," said Troy Leach, chief technology officer for the PCI council, in the release.
The council formed an industry task force to update its skimming guidance to address new attack vectors such as data capture from malware and memory scrapers or compromised software, overlay attacks that take advantage of the advances in 3D printers, and mobile device weaknesses.
The PCI council is also advising the payments industry to remain vigilant against the mounting organized data breaches.
"Retailers and banks are under constant assault from international criminals who remain out of reach in save havens worldwide," the council said in a prepared statement.