Sophisticated overlay skimmers have been found at Walmart on Ingenico iSC250 devices on payment terminals. The new skimmers are extremely difficult to detect, as they are a full device overlay.
An image of the these new advanced overlay skimmers can be found below:
Finding the enclosed Skimmer in devices is very difficult. By looking at first sight, you cannot tell the difference between normal and skimmered device. Below image shows the device with skimmer enclosure attached.
The skimmers can be installed quickly by simply snapping on to the existing Ingenico device. The process is very easy and it only takes a few seconds and can be installed with ease. The skimmers will read credit card magnetic stripe track data and store it within a module inside of the skimmer. It cannot read EMV cards, but they do have an EMV slot to allow for EMV transactions to occur, as to not arouse suspicion.
As of now, only 60% of US merchants have implemented EMV-ready devices, so criminals still have a significant market for stealing data from MSR transactions. The PIN pad can also record input, and will log a users PIN when a PIN is required (e.g. debit cards).
PCIBlog notes that the sophisticated skimmers will likely spread, and merchants should perform regular inspections of their Point-of-Interaction (POI) payment terminals. For PCI Validated P2PE merchants, the P2PE Instruction Manual (PIM) provided to you by your solution provider will guide you on the required frequency of POI devices. That being said, we strongly suggest that merchants perform weekly inspections of their POI devices, even if their PIM guideline shave a less stringent standard. If POI device inspections are not part of your current standard operating procedures, you should implement them as soon as possible.
