MasterCard Worldwide is committed to helping protect the account data of its member banks, merchant partners, and cardholders. To achieve this goal, MasterCard works with technology and industry experts to protect cardholders, merchants, cash machine acquirers and financial institutions against “skimming”. You can help protect your business against skimming by knowing the facts and following best practices.

Skimming means copying encoded data from the magnetic stripe of one payment card to another card. Fraudsters use fake card readers called “skimmers” to copy card information. They may use the account information to replicate the card, withdraw cash, or purchase goods and services. Some fraudsters compile lists of account numbers to sell to other thieves.

Skimming commonly occurs in two places: at ATM and POS terminals.

• Cash Machine Terminals. Fraudsters typically place skimmers either directly over or inside the slot where cardholders insert their cards to capture the magnetic stripe data. A skimmer often looks like it is part of the cash machine. Many skimmers are built to resemble a genuine card reader and allow cardholders to remove their card from the cash machine at the end of a transaction. To successfully create a counterfeit card, the fraudster needs the cardholder’s PIN as well as the magnetic stripe data. Fraudsters may capture PINs by installing a small camera on the cash machine or overlaying the PIN pad with a device that records the cardholder’s key strokes.
• POS Terminals. Retail and restaurant staff who have possession of a cardholder’s card for a period of time may use handheld skimming devices. While swiping a card through the terminal, they make an electronic copy of the magnetic stripe.

Criminals who participate in skimming rings can reap high profits from this type of fraud.

MasterCard suggests that issuing banks educate their cardholders to protect themselves against skimming, and routinely inspect their own cash machines to minimise risk.

• Merchants should regularly inspect their telecommunications equipment and systems for tampering. Merchants who suspect tampering should contact their acquirer or merchant service provider for assistance.
• Merchants should confirm that their acquirer is working with its point-of-interaction (POI) equipment vendors to provide the highest available protection of maintenance passwords. Additional security measures might include software enhancements or use of paired or split passwords.
• Merchants should validate the identity of persons claiming to be bank representatives or service providers who come to inspect or maintain POI equipment on the premises.
• Acquirers should regularly educate merchants on how to identify signs of equipment tampering.

• Cash machine acquirers and their servicing vendors should regularly inspect terminals for evidence of tampering.
• Display an onscreen message reminding cardholders to shield their PIN and check for suspicious devices before inserting their card into a cash machine.
• Ensure that the area immediately around the card entry slot is constructed in a way that makes it impossible to install a fake card reader without being obvious to a cardholder.
• Outfit the area with tamper detection capability that triggers the cash machine to go out of service if tampering occurs and requires a service call to manually reset the machine.