Cybercriminals have an insatiable thirst for credit card data. Right now, there are a number of internet forums openly selling credit and debit card data in various formats, even for as low as $25. Point-of-sale (POS) attacks remain a huge problem for companies. As noted by Threatpost, POS hacks have resulted in more than 20 million stolen bank cards as attackers shift from more traditional malware to undermining POS systems themselves. So how do criminals get this data? Skimming is one of the more popular methods. This comes in both Software and Hardware skimming.

Software skimmers are specialized malware packages that monitor POS memory for plaintext card data.

Hardware skimmers are even more devious. Criminals have designed miniature monitoring devices that fit inside normal card readers. When a customer or clerk swipes a card, the monitoring device reads the magnetic stripe at the same time as the legitimate reader.

In cases of POS malware attackers use a window of a few seconds to steal the data. This is because while in most cases the data is encrypted (a compliance requirement for merchants), there is a split second in which it is still unencrypted as it waits for authorisation to complete, saved in process memory. This is when they attack.

A major concern amongst security and online banking sector professionals are international sporting events, particularly the 2016 Olympics in Rio. Brazil is already the banking malware capital of the world. According to Symantec, cybercriminals pull in $8 billion a year in Brazil.

Chip and Pin cards are much more difficult to clone, making them less attractive to attackers; however, the U.S. lags behind in the adoption of these cards, which could hurt U.S. tourists.

So how do both merchants and consumers stay safe? Payment Card Industry Compliance standard was established for just this reason. It sets standards for anyone handling credit card information, however, just because a merchant is able to pass a PCI DSS assessment doesn’t mean it is actually secure or even in true compliance.

Security goes well beyond compliance and while PCI is an effective baseline security standard for safe-handling of payment card data, it does nothing to secure an organisation’s infrastructure from other, peripheral vulnerabilities or threats. POS attacks such as Hardware skimming attacks can be prevented by strong physical security in stores and throughout the POS hardware supply chain. Ultimately just like athletes are consistently tested for signs of cheating, the point of sale environments used by merchants should be rigorously tested to make sure they are secure.