“Shimming is the new skimming”, according to a Better Business Bureau (BBB) post last week. What’s this all about? Credit card skimmers were and still are molded plastic overlays that criminals place around point-of-sale (POS) terminals. They steal magnetic card information from unsuspecting consumers.
To combat skimming, engineers from Europay, MasterCard and Visa (hence, EMV) designed the EMV chip. It actually came out in 1994 but wasn’t adopted in the United States until late 2015. When we eventually started using EMV-based credit cards, we gleefully exclaimed “No more skimming!” We finally beat the scammers, or so we thought.
Please welcome “shimming” to the scene. Most people think of a shim as a wedge that holds a door open. In the modern era of credit card scams, a “shim” is an incredibly thin device that thieves install inside a POS device, so you will be far less likely to know that it’s there. The old “tug the POS” trick to see if a skimmer was installed will no longer alert you to a card data stealing operation in the case of a shim.
This all sounds dire, right? Well, it is, but retailers and consumers can do something about it. Here are some tips:
1. Retailers – Follow PCI DSS Requirement 9.1.1 which says “Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.”
2. Retailers – Follow PCI DSS Requirement 9.9 which encourages you to “periodically inspect devices to look for tampering or substitution.”
3. Consumers – Keep cash on hand. If your card gets stuck when trying to pay, there could be a shim in the POS device. Pay with cash and encourage the retailer to inspect the POS device.
4. Consumers – Pay with a “contactless payment” option (where accepted) such as Samsung Pay, Apple Pay, or Google Pay.