MAG Insights

Announcements from the MAG & Featured Articles

MAG Sponsor Spotlight: Now that my Business is EMV® Chip Card Capable, What Else Do I have to Worry About? (MAG Quarterly- Volume Six, Issue Two)

Brennan_Larry Headshot
By Larry Brennan, Senior Vice President, Merchant Data Security and Cybersecurity Director, Bank of America Merchant Services

June 7, 2018

EMV® (Europay, Mastercard and Visa) chip technology1 is a powerful step forward in protecting against credit card fraud. Unlike data contained on a magnetic stripe – which, once stolen, can be used over and over – the EMV chip’s unique transaction code for each use makes it highly secure for in-person purchases.  

But with adoption finally widespread throughout much of the U.S., fraudsters are now employing workarounds. They do this using a variety of ways to access financial card data, from phishing attacks to Wi-Fi spoofing in unprotected public spots. This is why small business owners can get the feeling that they are playing a game of ‘Whac-a-Mole.’  Just when they thwart one attack, another can seemingly pop-up out of nowhere.  

Just as the mole’s last hole doesn’t tell you where it will pop up next, fraudsters don’t always employ predictable techniques when attacking a business. Here are some of the ways fraudsters are getting creative in how they hack into payment and financial information systems – and what mallet, or method, business owners can employ to help defend against these attacks.  

Point of Sale Fraud  

  • Skimming – A skimming device is a card reader which can be disguised to look like part of an ATM or point-of-sale (POS) terminal. As long as EMV chip cards also store data on the magnetic strip, skimming will continue. Today’s fraudsters make sophisticated skimmers using 3-D printers that are virtually indistinguishable from the parts of the terminal to which they are attached.  
  • Shimming – As skimming devices aim to steal credit card information via the card-swipe method, “shimming” devices are the next stage in card fraud evolution. Shimmers, which are thin enough to hide inside a card reader, can be used to stage a “man in the middle” attack by making a copy of the data on the EMV chip as it’s transmitted to the compromised machine.  

Card-Not-Present Fraud 

  • Phishing – An old trick keeps getting more sophisticated. As seen with the recent Gmail scam2, attackers disguised as a trusted contact are sending authentic-looking emails with seemingly relevant attachments, such as invoices, that can dupe even seasoned security savvy individuals into taking the bait.  
  • Spoofing – This is another type of attack that has been around for years – and continues to evolve. Mobile devices are constantly on the hunt for Wi-Fi networks, and most people are happy to join public networks to get a better connection and save on their data usage. Spoof attackers replicate Wi-Fi login screens to look and feel exactly like those used by familiar brands and service providers and steal sensitive data. 

Often, criminals harvest payment card data to be sold on the DarkNet, an internet alternative that can be accessed only with specific software, configurations, or authorization, often used to conduct illegal business. 

Vigilance and awareness of security practices can help protect you. Here are a few ways you can help ensure your business’ and customers’ vital information doesn’t get into the wrong hands:  

Card-present environment 

  • Embrace secure technology. Investing in end-to-end encryption and tokenization can help protect data from the entry point through the authentication process and back. 
  • Check your hardware regularly. Point-of-sale terminals should be physically inspected for skimmers and shimmers on a regular basis, ideally at the start of each work shift.
    • Here are some things to look for:
      • Check for scratches of sticker residue. Scratches or sticker residue can be tell-tale signs that a terminal has been removed, replaced, or tampered with. 
      • Wiggle the terminal. If a skimmer has been placed over your terminal, wiggling the terminal may help loosen the adhesive holding the fraudulent device in place. 
      • Press the buttons. If a skimmer has been placed on top of your terminal, the buttons may be harder to press. 

Card-not-present environment 

  • Choose a payments processor wisely. Merchants should work with payments processor that not only offers end-to-end and point-to-point encryption – but one that stays on top of the rapidly evolving payment security landscape. 
  • Scale your fraud protection solution appropriately. Going overboard on security can cause false positives that result in unnecessary card declines and loss of sales. When it comes to security, one size does not fit all. There are a lot of resources and materials out there, so be sure to do your due diligence when it comes to finding the right choice for your business.

(2) Mathews, Lee, “This Gmail Phishing Attack is Fooling Even Savvy Users,”, Jan 16, 2017. 

If you’re concerned about the integrity of your payment environment, know that you are not alone. If you stay informed, alert and disciplined, your business stands a good chance of beating the odds in the fight against fraudsters.  
(1) EMV is a registered trademark in the U.S. and other countries, and an unregistered trademark elsewhere. EMV® is a registered trademark owned by EMVCo LLC