It was about three years ago that security experts began warning retailers that “skimming” had evolved into something called “shimming.” But is “shimming” still a concern for convenience stores?
In a word: yes.
Shimming can be thought of as the next generation of skimming, which is where clever criminals intercept credit or debit card information from a card reader to either use or sell. With shimming, scammers use a more sophisticated, paper-thin device called a ‘shim’ to copy the chip-card information. Indeed, chip-enabled cards were developed to help combat identity theft and fraud by adding an additional layer of security.
“Shimming is the ‘unrung sale’ in my vocabulary,” said veteran licensed private detective Michael Wojtanowicz, J.D., a corporate security expert with over 25 years of experience, and the founder of Systematic Inquiry Group in Orange, Calif. “It is alive and well today in all our cash retail and wholesale clients.”
“It’s still a concern and issue, but I don’t have any stats; it’s mostly anecdotal,” said Paige Anderson, director of government relations for NACS in Alexandria, Va. “I receive questions about skimming and shimming thefts every couple of weeks from state weights-and-measures folks, local law enforcement and retailers. It’s always a concern, as any type of payment card theft is at the pump and other point-of-sale systems.”
The Better Business Bureau offers a wealth of advice for retailers on how they can protect their businesses and customers from shimming. For example, periodically inspect devices to look for tampering or substitution. Be wary if customers report that their cards are getting stuck in your chip reader. If the reader seems to have a tighter than normal grip on cards, there could be a shim inside.
Another tip: adhere to PCI DSS Requirement 9.1.1. It states, “Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.”