"Device Skimming: Attacks and Defence" is based on industry best practices to help retailers protect payment systems and limit the likelihood that they will be the victim of skimming attacks.

Skimming attacks involve criminal gangs who attempt to modify Point of Sale (PoS) terminals by fitting them with equipment that captures card information and potentially customer's PIN numbers whilst the card is being processed. To assist retailers, Visa Europe has developed a set of best practice guidelines to mitigate the risk of skimming attacks.

Effective management of PoS devices and increased vigilance can significantly reduce the likelihood of skimming attacks being successful. Following this simple set of guidelines will help make the payment system more secure. Visa Europe recommends that all of the guidelines should be followed in order to form a layered approach to system defence. Retailers should:

• Examine payment acceptance devices on a regular basis to identify whether the device has been altered or tampered with. This examination should include the retailer looking for: missing seals or screws, extraneous wiring, holes in the device or additional labels used to mask damages.
• Familiarise themselves with the environment in which payments systems are operating and be aware of any additional or unknown items that appear in the vicinity of the device. Many criminals use the areas surrounding PoS devices to install cameras to record customer PIN entry details. Retailers can use CCTV to deter criminals and help to protect the security of PoS devices. Cameras should be positioned to monitor the location of devices and not record PIN entry at the device.
• Secure their devices to prevent their substitution and protect against tampering. Where possible, cables connecting to terminals should be protected using a conduit or held within a physically secure structure. This should be carried out in accordance with relevant disability legislation for the country in which the device is deployed.
• Implement employment policies to ensure that appropriate background checks are carried out on employees who will be handling the devices. Employees should also be made aware of their responsibilities to protect PoS devices and be vigilant to possible attacks.
• Develop and implement policies and procedures to train staff to validate the identity of all payment systems repair technicians or any other entity who tries to either remove or install a PoS device.
• Use PCI Security Standards Council (PCI SSC) approved devices.

Stanley Skoglund, Senior Vice President Payment System Risk at Visa Europe, said "Skimming attacks are becoming increasingly sophisticated. Fraudsters operate in organised groups around the world and attacks are often difficult to detect. Visa Europe does not tolerate activities that undermine the integrity of the payment system as this has an impact on the trust that consumers have in your business. By taking an active stance, Visa Europe's guidelines highlight pro-active steps that retailers can take to ensure acceptance of card payments take place in a safe and secure environment and reinforce consumer trust."

Over the past year, Visa Europe has introduced a range of guidelines for retailers including advice on emerging technologies such as data encryption, tokenisation, and industry-specific whitepapers to help participants in the payment chain better understand their responsibilities related to securing cardholder data as well as providing simply guidance on how retailers can protect themselves from common attacks.