Hosting an ATM in Your Store

MasterCard Worldwide is committed to helping protect the account data of its member banks, merchant partners, and cardholders. To achieve this goal, MasterCard works with technology and industry experts to protect cardholders, merchants, ATM acquirers, and financial institutions against “skimming.” You can help protect your business against skimming by knowing the facts and following best practices.

Skimming means copying encoded data from the magnetic stripe of one payment card to another card. Fraudsters use fake card readers called “skimmers” to copy card information. They may use the account information to replicate the card, withdraw cash, or purchase goods and services. Some fraudsters compile lists of account numbers to sell to other thieves.

Skimming commonly occurs in two places: at ATM and POS terminals.

• ATM Terminals. Fraudsters typically place skimmers either directly over or inside the slot where cardholders insert their cards to capture the magnetic stripe data. A skimmer often looks like it is part of the ATM. Many skimmers are built to resemble a genuine card reader and allow cardholders to remove their card from the ATM at the end of a transaction. To successfully create a counterfeit card, the fraudster needs the cardholder’s PIN as well as the magnetic stripe data. Fraudsters may capture PINs by installing a small camera on the ATM or overlaying the PIN pad with a device that records the cardholder’s key strokes.

• POS Terminals. Retail and restaurant staff who have possession of a cardholder’s card for a period of time may use handheld skimming devices. While swiping a card through the terminal, they make an electronic copy of the magnetic stripe.

Criminals who participate in skimming rings can reap high profits from this type of fraud.

MasterCard suggests that issuing banks educate their cardholders to protect themselves against skimming, and routinely inspect their own ATMs to minimize risk.

• Acquirers and merchants should regularly inspect their telecommunications equipment and systems for tampering. Merchants who suspect tampering should contact their acquirer or merchant service provider for assistance.
• Acquirers should consult their point-of-interaction (POI) equipment vendors to request increased protection of maintenance passwords. Additional security measures might include software enhancements or use of paired or split passwords.
• Merchants should validate the identity of persons claiming to be bank representatives or service providers who come to inspect or maintain POI equipment on the premises.
• Acquirers should regularly educate merchants on how to identify signs of equipment tampering.

• ATM acquirers and their servicing vendors should regularly inspect terminals for evidence of tampering.
• Display an onscreen message reminding cardholders to shield their PIN and check for suspicious devices before inserting their card into an ATM.
• Ensure that the area immediately around the card entry slot is constructed in a way that makes it impossible to install a fake card reader without being obvious to a cardholder.
• Outfit the area with tamper detection capability that triggers the ATM to go out of service if tampering occurs and requires a service call to manually reset the machine.