The PCI SSC just released a document on how to detect and prevent skimming.

Skimming, as the word implies, is capturing data as it passes through a device. That means devices are usually modified so they will copy and record data to unauthorized storage or they will send it out over an unauthorized network connection.

The guide includes many images of skimming devices as well as an easy risk assessment form to help outline potential areas of vulnerability such as physical location, hours of operation, personnel and technology. In a nutshell the advice is the usual “watch for anything suspicious”. This means anything that accepts cards should have a known safe appearance (wires, stickers) as well as a clean/safe space around it. Staff should be trained such that any changes to the appearance or items introduced into the safe space should raise suspicion and be reported.

If you see Tetris running on Chip and PIN terminal, for example, you should not assume all is well with security.

Criminals will try anything to get access to the card data. Have you seen those charity boxes that often sit on a counter near a register? These have been known to be used to place hidden cameras next to a device to record PIN information. Here is another example from the guide: