What is card shimming?

Card shimming is a new scam that targets debit and credit cards equipped with EMV chip technology. This scam is similar to traditional card skimming hacks where criminals place fake card readers on point-of-sale systems (POS) and ATMs.

The name comes from the paper-thin shim used to capture the data from your card chip. However, card shimming is less common than skimming because it’s much harder to leverage chip data for fraud than magnetic stripe data.

The Move to EMV

In 2012, the payment card industry introduced EMV chip technology in the United States as a security improvement for credit and debit cards, short for “Europay, MasterCard, Visa.”

Non-EMV cards contain data inside the magnetic stripe, protected by a CVV security code. The big difference between magnetic stripe and EMV cards is that chip data cannot be replicated.

Card skimming has been successful because the magnetic stripe and security code can be cloned to make new cards. However, the move to EMV has helped prevent fraudsters from cloning physical cards simply because chip data is unique to each individual card.

Reports of card shimming first surfaced in Mexico and Arizona. But the first instance of card shimming in North America was discovered by a retailer doing regular checks on their point-of-sales systems.

When the test card did not slide into the machine smoothly, the employees took the machine apart. To their surprise, they found a shim inside the card reader.

Rare, yet still a threat to card-not-present transactions

The nature of EMV technology makes this scam a rarity among most payment card readers. However, the data can still be leveraged in card-not-present (CNP) sales.

While the chip and magnetic stripe hold the same data, they are tied to two separate security codes. Magnetic stripe data is tied to your card’s CVV code, whereas the chip data has its own iCVV code.

Industry standards require card issuers and retailers to check both the chip and magnetic stripe security codes before authorizing a transaction. Therefore, most card readers should be safe from this type of attack so long as they follow the payment card industry’s best practices.

But card shimming can still lead to CNP fraud – such as online or mobile app purchases – where chip and iCVV data is not needed. Older payment card systems and ATMs may also be at risk if they have not kept up with EMV security standards.

What should I do?

While this scam is rare, it’s never a bad idea to look before you swipe. Use these tips to help keep your payment cards safe from card skimming and shimming scams:

  • Look for signs of tampering. Avoid using ATMs or card readers that appear damaged or dismantled.
  • Conceal your PIN. Cover the keypad when entering your PIN. Criminals may install small cameras near ATMs to capture your four-digit card PINs.
  • Move to tap-and-go. Many card companies have begun switching to contactless payment to combat POS and ATM tampering.
  • Notify retailers of suspicious card readers. If your card does not go into the machine smoothly, or it gets stuck, the card reader may have been tampered with.
  • Check your financial statements regularly. Contact your financial institution immediately if you notice suspicious transactions or other activity related to your accounts.