Card Users at Risk of Physical Attack

Despite many sophisticated measures in place to protect cardholder data during and after a credit or debit transaction, the most likely source of PIN compromise is the simplest.  Referred to as “shoulder surfing” it is the oldest and easiest way for a criminal to obtain your PIN.  Unfortunately, the current payment card security standards have all but abandoned any attempt to protect against this threat.

At its simplest level, shoulder surfing is a surveillance based operation that attempts to observe the entry of a four digit PIN into an ATM or payment terminal keypad.  This method of stealing the PIN presents a real and significant danger to the cardholder.  The perpetrators usually operate in small gangs.  If the ‘surfer’ is able to see (or record on hidden camera) the entry of the PIN, he or she immediately communicates to other members of the gang that the PIN has been obtained.  This sets into motion a ruthless and sometimes violent series of events.  Having identified the target, gang members follow the victim with an intent to rob.  Their objective is to gain physical possession of the card for which they already know the PIN.  In this scenario, failure to screen the PIN from the ‘surfers’ view effectively puts the cardholder at significant risk of robbery and physical attack. 

Simple and effective means of PIN protection exist, but are not currently required by the Payment Card Industry (PCI) Security Standards Council.  Early drafts of PCI mandates for PIN Entry Devices (PED’s) required the installation of a mechanical shield that would prevent this most common cause of PIN compromise.  Surprisingly, complaints from retailers, equipment operators and equipment manufacturers resulted in a watering down of that requirement.  Compliance can now be achieved with only a loosely defined, token effort at protection against ‘shoulder surfing.’  This has resulted in privacy shields that are an ineffective semblance of the originally specified shield.   

It was shocking to see PED manufacturers arguing that the shield originally specified by PCI could not be physically achieved; particularly since Storm Interface and other manufacturers had already developed effective shields.  Even more shocking was how successful industry objections proved in getting these ‘common sense’ provisions watered down or even abandoned.  As the mandating authorities continue to impose ever more sophisticated, technology based security provisions, we should continue to press for re-instatement of the most effective and lowest cost security measure… privacy shields.