Why Worry About a Little Skimmer?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/why-worry-about-a-little-skimmer-49673/

Merchants—rightfully so—are worried about securing their payment card
environments so that their name does not appear in a headline discussing
how millions of cards were stolen from them. Faced with the challenge of
evaluating the use of P2PE and tokenization, the conversion necessary to
prepare for the October 2015 EMV liability shift, reading the tea leaves on
what mobile payment technology will catch on, and accommodating the
marketing department’s appetite for capturing customer transaction data,
who has time to worry about small issues like a skimmer? After all, a
merchant would never have to post anything on their website, issue a press
release, and e-mail customers over finding a skimmer on one checkout lane
in one store, right? Wrong.

Skimming devices can capture the data contained in “track 1” of the
magnetic stripe on the back of a payment card. Thus, a skimming event can
result in an unauthorized person gaining access to the cardholder’s name
and payment card account number, which meets the definition of “personal
information” under state breach notification laws. No problem you say – we
will just mail notification letters to the small number of affected
individuals. There are usually two primary problems: (1) merchants are
often not able to precisely determine when the skimmer was first installed,
so it is difficult to determine what cards were affected; and (2) for card
present transactions, even if the merchant knows which cards were affected,
most merchants are not able to match the affected card number to the
cardholder’s name or address. When state breach notification laws are
triggered but the merchant does not have names and addresses, and, thus,
cannot mail notification letters to the affected cardholders, the
substitute notification provisions of state breach notification laws apply.

In general, to comply with substitute notice provisions of state breach
notification laws, merchants have to do the following to notify affected
cardholders: (1) place a link on a conspicuous place of the merchant’s
website to a page that provides the required notice of the incident; (2)
send an e-mail to the individuals with the required notice if the merchant
has their e-mail addresses; and (3) issue a press release to major
statewide media (TV, radio, and newspaper). So, one bad employee using a
handheld skimmer can force merchants to put a link on the homepage of their
website and issue a press release about an incident that may only affect a
few hundred cardholders.

The PCI Security Council issued updated guidance on “Skimming Prevention:
Best Practices for Merchants” on September 10, 2014. The guidance describes
the risks, the different types of skimmers, how to investigate for the
presence of skimmers, employee awareness and training ideas, a risk
assessment tool, and a checklist for inspecting for the presence of
skimmers. There truly are a wide variety of skimmers. They range from
handheld devices, to overlays, to keylogger devices inserted in the
cabling, to 3D-printed overlays. Even NFC and EMV enabled terminals are not
immune. And the Security Council guidance has the pictures to prove it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!