Merchants—rightfully so—are worried about securing their payment card environments so that their name does not appear in a headline discussing how millions of cards were stolen from them. Faced with the challenge of evaluating the use of P2PE and tokenization, the conversion necessary to prepare for the October 2015 EMV liability shift, reading the tea leaves on what mobile payment technology will catch on, and accommodating the marketing department’s appetite for capturing customer transaction data, who has time to worry about small issues like a skimmer? After all, a merchant would never have to post anything on their website, issue a press release, and e-mail customers over finding a skimmer on one checkout lane in one store, right? Wrong.

Skimming devices can capture the data contained in “track 1” of the magnetic stripe on the back of a payment card. Thus, a skimming event can result in an unauthorized person gaining access to the cardholder’s name and payment card account number, which meets the definition of “personal information” under state breach notification laws. No problem you say – we will just mail notification letters to the small number of affected individuals. There are usually two primary problems: (1) merchants are often not able to precisely determine when the skimmer was first installed, so it is difficult to determine what cards were affected; and (2) for card present transactions, even if the merchant knows which cards were affected, most merchants are not able to match the affected card number to the cardholder’s name or address. When state breach notification laws are triggered but the merchant does not have names and addresses, and, thus, cannot mail notification letters to the affected cardholders, the substitute notification provisions of state breach notification laws apply.

In general, to comply with substitute notice provisions of state breach notification laws, merchants have to do the following to notify affected cardholders: (1) place a link on a conspicuous place of the merchant’s website to a page that provides the required notice of the incident; (2) send an e-mail to the individuals with the required notice if the merchant has their e-mail addresses; and (3) issue a press release to major statewide media (TV, radio, and newspaper). So, one bad employee using a handheld skimmer can force merchants to put a link on the homepage of their website and issue a press release about an incident that may only affect a few hundred cardholders.

The PCI Security Council issued updated guidance on “Skimming Prevention: Best Practices for Merchants” on September 10, 2014. The guidance describes the risks, the different types of skimmers, how to investigate for the presence of skimmers, employee awareness and training ideas, a risk assessment tool, and a checklist for inspecting for the presence of skimmers. There truly are a wide variety of skimmers. They range from handheld devices, to overlays, to keylogger devices inserted in the cabling, to 3D-printed overlays. Even NFC and EMV enabled terminals are not immune. And the Security Council guidance has the pictures to prove it.

skimmer-1  skimmer-2  skimmers-3