In recent years, one tool consistently used to steal credit and debit card data has been the credit card skimmer device. Be it on ATM machines, or on credit card machine in merchant locations, criminals have clearly made this a tool of choice. In the last two years alone, skimmers were used at such high profile, multi-location merchants as Barnes and Noble, Michaels, and Lucky’s Supermarkets.
Merchants of all sizes use the same type of credit card machines as these larger merchants. If it can happen to larger merchants, who presumably have more sophisticated security measures in place, what’s the average merchant to do to protect themselves from this sort of attack?
Physically secure terminals
Terminals that are not locked down can be easily swapped out with a doctored unit. Terminals should be locked in a cradle and the key maintained in a secure location. The key to each terminal cradle should be unique to each terminal location so that one key does not open every cradle at every location.
Know the equipment vendor
Merchants tend to be cost-driven when making any purchase – including purchasing processing hardware. If a merchant isn’t going to buy their terminals from you, they need to do their homework to be sure that the vendor they choose has controls in place to ensure that terminals being shipped have not been tampered with. At a minimum, they should verify that vendors put their employees through periodic background checks, track which employees work on what units, and do random physical internal inspections of units to ensure they are not tampered with before they are sent out.
Confirm a terminal swap
Merchants should be trained to confirm a terminal swap before installing the new hardware. All too often, merchants do not have a policy in place to handle terminal replacements or exchanges. Criminals are known to ship terminals with skimmers installed to unsuspecting merchants. Once the new terminal is installed, the criminal begins receiving card data with every swipe.
Use MAC address filtering on store networks
MAC stands for Media Access Control, and is used to identify each physical piece of hardware on a network. Merchants using hardware connected to their network should monitor the MAC address of each device. If a device is replaced with a new device with a new MAC address, the device should be disabled until the new MAC address is verified as being a valid piece of hardware on the network. Terminals are not the only piece of hardware susceptible to skimmers; card readers attached to computers are also targets.
Monitor physical devices
An inventory of the serial numbers of all processing hardware should be maintained, and monitored periodically. Physical card readers, whether on a terminal or attached to a computer, should be visually inspected frequently.
Monitor the network
Terminals or POS systems should only be communicating with a service provider for transaction authorization and routers(s) and/or firewall(s) should be configured accordingly. If a terminal or POS attempts to communicate with any other external IP address, that should generate an alert, which should then be investigated immediately. This will catch devices that are tampered with that are attempting to transfer data to a server outside of the network.
While it may not be possible to protect against skimmers being installed in every case, these steps should allow merchants to detect the presence of a skimmer quickly.
About Merchant Services:
MerchantService.com provides leading edge credit card processing and business management solutions to merchants through a consultative approach that establishes the best program to meet each merchant’s needs so they’ll qualify to obtain the best rates. MerchantService.com features the most economical merchant services program, Interchange Pass Through.
