- slide 1 of 5
Credit card skimming takes place when an unscrupulous employee or someone else with access to the organization's inner work chambers makes a conscious and determined act, but unauthorized act, of securing customer credit card details for misuse or personal gain. It ranks as a major type of electronic fraud today.
The methods of skimming vary. An unscrupulous employee entrusted with credit card details may photocopy receipts, use skimmers or small electronic device to swipe and store the victims’ credit card numbers, deploy a small keypad under the legitimate keypad and transmit the card security code by wireless, or simply memorize the card details.
- slide 2 of 5
Employ Good People and Control Them Well
The best approach to prevent credit card skimming may have nothing to do with credit cards, financial transactions, or network security at all. It may simply require an uncompromising HR policy of selecting candidates with high integrity, for skimming is typically an "inside job" done by a dishonest employee..
The number one reason for network security breaches is unscrupulous employees. This is more so for skimming where the only reason such breaches take place is when employees make a willing and conscious effort to engage in fraud.
Organizations looking to secure their networks and electronic devices need to:
- Ensure that the recruitment process probes the honesty, trustworthiness and integrity of the candidate and providing enough consideration to such factors along with technical competence and other skills.
- Undertake a thorough background check of the short listed employee to check for police records, convictions, terminations for integrity issues and more, before conforming the offer.
- Have the employee sign a strict non-disclosure policy that specifically prohibits actions such as credit card skimming.
- Have strict policy in place specifying stringent punishment for integrity issues. Make sure the employees read and sign a copy of the policy and implementing it mercilessly.
- slide 3 of 5
Credit card skimming takes place when an unscrupulous employee gets an opportunity to capture the card details. A transparent setting preempts the scope for such an action.
The maximum instances of credit card skimming occurs in restaurants, gasoline stations, and other places where the customer entrusts the employee with the credit card for swiping. Waiters, cashiers or other service providers may capture the card details as they take the card away to swipe. Organizations would do well to swipe cards only at the customer’s presence by asking the customers to come along to the swiping machine or having wireless swiping machines in place that allows taking the machine to the card rather than the other way round. Another option is installing do-it-yourself swiping machines that eliminate the need for employees to process customer cards
Another major area where credit card skimming occurs is call centers that process online payments. The card owner provides the card details over phone or chat, allowing the dishonest employee any number of means to store such data for their own nefarious use later. Organizations would do well to have an open workstation where the employee’s actions are visible to everyone, and automate processes related to credit card details as far as possible to minimize chances of employees gaining access to such information.
- slide 4 of 5
The success of measures to prevent employees capturing card details once the card is in their possession is limited because if all avenues remain closed, employees can simply choose to remember the card details. Organizations would nevertheless do well to:
- Strictly forbid the use of any unauthorized electronic device in their workstation.
- Strictly monitor the workplace for any suspicious activity, but all the while remaining careful not to violate any privacy laws.
- Have strong network security measures in place that restricts access of customer data, traces everyone accessing any data, white list authorized devices, and monitor to detect the presence of unauthorized networks.
- Regulate the use of the Internet in the workplace.
Some companies go to extremes to preventing employees from taking in pens or even having them wear uniforms without pockets. Such approaches, however, may not always work, and might constitute as affront on basic employee rights, besides precipitating an atmosphere of distrust.
- slide 5 of 5
Secure the Pin Pad
Another dimension of skimming is when rogue employees or others with access retrofit skimmers to legitimate ATMs, gas pumps, grocery/department store checkout machines, restaurants and other places where users swipe their credit cards. Here, the perpetrator places a device over the card slot to read the magnetic strip as the user or an employee passes the card through it. A miniature camera inconspicuously attached nearby reads the user's PIN at the same time
To prevent such types of skimming, establishments should take care to secure their pin pad physically. Ways to do so include:
- Inspecting the pin pad for signs of any tampering at the start and end of each shift.
- Checking the serial number of the pin pad daily to see if someone has changed the entire pin pad itself. The unregulated sale of pin pads gives skimmers ample scope to install their own pin pad and transmit the data via wireless avenues.
- Physically securing the pin pad to a stand, securing endpoints, and concealing the cables. All these make tampering difficult. Treat the pin pad like cash, and place it under the counter or out of sight.
- Move to chip and pin. Skimming bases itself on capturing the magnetic swipe, and does not work with a fully authenticated chip transaction.
The ordinary card holder, especially one who uses the card frequently might find it difficult to identify where the skimming has taken place, but the card issuer collates the complaints received to detect a pattern and identify the source of the skimming easily. The penalties for merchants can be severe, and may extend to exclusion from the system and criminal charges, even if the fault lies with a rogue employee and not the merchant per se. As such, no measure your business can take to help prevent credit card skimming is a wasteful expenditure.
Lastly, certain businesses and organizations may be subject to the Federal Trade Commission's (FTC) Red Flag rules - learn more about Red Flag Rules here.
- "What is Debit Machine Skimming?". Retrieved from http://www.canadacardprocessing.com/pos/prevent-debit-machine-skimming/%20on%20October%2003, 2011.
- Image Credit 2: flick.com/Jessica Allan Schmidt under CC 2.0 license
- Image Credit 1: flickr.com/Andres Rueda under CC 2.0 license
- "Credit Card Skimming: How thieves can steal your card info without you knowing it." Retrieved from http://www.networkworld.com/community/node/33210%20on%20October%2003, 2011.