Skimming not a violation of PCI DSS
October 31st, 2008 Posted in Credit Card Fraud, PCI DSSIt is important to remember that credit card skimming is an entirely different type of fraud than what the PCI DSS is meant to protect against. Remember that the PCI program has several sub-sections: PCI DSS, PCI PED, and PCI PA-DSS. Each of these are meant to address a different piece of the pie.
The PCI DSS is meant to protect against the electronic and paper theft of credit card data within an organization. This applies to the 12 ‘digital dozen’ requirements and sub-requirements. It is not meant to protect against credit card skimming, which is a problem I don’t know anyone can solve. (Though the implementation of Chip-PIN plus iCVV may reduce this in the future.)
In fact, skimming, cloning, and other credit card fraud is something that’s rather difficult to curtail. But there is a difference between what PCI DSS is meant to protect and skimming fraud. You see, skimming requires a physical presence. If you are skimming the magnetic stripe or the RFID component, the attacker needs to be there physically. This reduces the risk because (1) the attacker exposes themselves to greater risk of capture, and (2) these types of schemes do not scale well.
In I can hack into a computer network (i.e. retailer, restaurant, university) and copy credit card data it does not require a physical presence and I can copy as much data as exists. If the computer system or point of sale (POS) machine contains a million credit card numbers then viola! In order to capture that same level of data from individuals via skimming would take a considerably longer period of time.
The goal is always to focus on risk reduction because risk may well never reach zero (or will simply be cost prohibitive.) By properly applying the PCI controls for data security, PIN pad security, and application security you can help reduce your risk of financial loss.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
4 Responses to “Skimming not a violation of PCI DSS”
By Marco on Nov 1, 2008
Nice post but not sure about the assessement: skimming requires physical presence of the fraudster. There are skimming devices sold in the underground market that come with wireless devices and allow to get PIN and track 2 data to the fraudster. Recent arrest of Cha0 in Turkey was due not to him selling these devices that is legal) but giing tips on how to use them for fraud via the darkmaket network.
Regarding the mitigations, you mentioned chip and PIN. Is breakable but it costs more to break and this is deterrent at least for now. A good mitigation is apply defense in depth at different layers, car readers, protection of the PINs, dynamic CVV generation etc. Regarding PCI I do not think in this case compliance can drive mitigation for fraud.
Regards
Marco
By deincognito on Nov 2, 2008
And what about handwritten signature digitalized by POS tablets?
This data is not included in PCI-DSS and they are as vulnerable and relevant as data considered on the standard.
Salu2
By Michael Dahn on Nov 2, 2008
@Marco, all very good points. What I meant was that placement and/or removal of any physical device requires physical access. This both increases the risk and slows down the compromises.
By Michael Dahn on Nov 3, 2008
@deincognito there are specific requirements for merchants when handling certain information, but you have to remember that the PCI DSS was meant to eliminate the storage of Sensitive Authentication Data and protect the storage of Cardholder Data. It’s important to review the definition of each when structuring your compliance process.