From London to Miami to Malaysia, card "skimming" is increasing at an alarming rate. It is victimizing consumers, causing havoc with merchants, and costing the industry hundreds of millions of dollars every year. There are even new forms of this practice that defy detection tools and have the potential to seriously weaken the industry's cornerstone brands.
This is no longer simply an issue of justifying investments in fraud prevention. It is rapidly becoming a threat to the very integrity of the card payment system. The card industry is built on trust: Under normal circumstances, the merchant trusts the acquirer to get paid; the acquirer trusts the issuers to get settled; the issuers trust the cardholders; and the cardholders trust the merchants. Skimming is undermining this trust, and merchants, consumers, and industry leaders must combat it.
Skimming typically occurs when a cardholder hands over a card to a retail or restaurant employee who then surreptitiously swipes the card through a small, illegal card reader, a "skimmer." Skimmers copy the data encoded on the card's magnetic stripe, and the information is used to manufacture counterfeit cards that rack up illegal charges. Industry sources estimate that the average skimmed credit card will generate some $2,000 in fraudulent charges before being detected. The U.S. Secret Service has estimated that 25% of credit card theft derives from skimming.
Skimmers are getting better at what they do. Skimmer bugs are being illegally implanted into point of sale card payment terminals, and software skimmers - essentially viruses that are downloaded into terminals and use phone lines to upload stolen card data to a PC - are starting to appear.
These new forms of skimming thwart one of key tools used to detect skimming. Issuers and the card associations use sophisticated software to pinpoint those merchants where most skimming originates by identifying the Common Point of Purchase among skimmed cards. With skimmers implanted in terminals, whose skimmed magnetic stripes are extracted infrequently - often weeks after the card has passed through - the pattern used in CPP detection becomes obliterated.
The magnetic stripe was simply not designed to withstand attacks that use the latest technologies. Essentially, skimming takes advantage of the fact that a magnetic stripe is a passive medium - its digital content can be copied with perfection, and there is no difference between a copy and the original. With card data becoming available over the Web, the card equivalent of a Napster.com-like exchange for stolen card data could arise.
Smart card chips will ultimately make credit cards skimming-proof. Smart cards can be authenticated online using secure encryption techniques, they are highly tamper-resistant; they are impervious to criminals now and will be for the foreseeable future. But they will not fully replace magnetic stripe cards for many years.
In the short term, the industry must switch to tamper-resistant and secure terminals, and where necessary, deploy portable terminals that let people pay on the spot - at the table in a restaurant, for instance. Today's high-performance touch-screen card payment terminals enable consumer activation, so the consumer never lets go of the card.
In addition, many new generation terminals are tamper-resistant, incorporating detectors that deny access to the internal circuitry and prevent unauthorized downloads, which in turn prevents the downloading of software skimmer bugs.
Unchecked, skimming will hurt the entire industry. We have the technology and the products to fight it, and that's what all merchants, acquirers, processors, and issuers have to do together.
Mr. Wallner is chairman and chief strategist of Hypercom Corp., a point of sale terminal manufacturer and servicer in Phoenix.
