Logo Alt Text Logo Alt Text
  • About Us
  • Trust Center
  • Schedule a Demo
  • Resources & Blog
  • ID Theft Protection
    • IdentityForce.com
    • Breach Risk Intelligence
  • Mobile Security
    • Mobile Defense Suite
  • Identity Restoration
  • Breach Response
  • Small Business
    • Small Business Suite
  • Explore a Partnership
    • Tailored Programs
      • Resellers
      • Affiliate Marketing Program
    • Industries
      • Financial Institutions
      • Employee Benefits
      • Government Agencies
    • Continuous Support
    • Schedule a Demo

Card Shimming Targets “Chip” Payment Cards

Posted on September 16, 2020 by in Credit Fraud & Monitoring, Personal, Personal Resources, Scam Alerts

EMV chip card POS payment

What is card shimming?

Card shimming is a scam that targets debit and credit cards equipped with EMV chip technology. This scam is similar to traditional payment card skimming hacks where criminals place fake card readers on point-of-sale systems (POS) and ATMs.

The name comes from the paper-thin shim used to capture the data from your card chip. However, card shimming is less common than skimming because it’s much harder to leverage chip data for fraud than magnetic stripe data.

The Move to EMV

In 2012, the payment card industry introduced EMV chip technology in the United States as a security improvement for credit and debit cards, short for “Europay, MasterCard, Visa.”

Non-EMV cards contain data inside the magnetic stripe, protected by a CVV security code. The big difference between magnetic stripe and EMV cards is that chip data cannot be replicated.

Card skimming has been successful because the magnetic stripe and security code can be cloned to make new cards. However, the move to EMV has helped prevent fraudsters from cloning physical cards simply because chip data is unique to each individual card.

Reports of card shimming first surfaced in Mexico and Arizona. But the first instance of card shimming in North America was discovered by a retailer doing regular checks on their point-of-sales systems.

When the test card did not slide into the machine smoothly, the employees took the machine apart. To their surprise, they found a shim inside the card reader.

Rare, yet still a threat to card-not-present transactions

The nature of EMV technology makes this scam a rarity among most payment card readers. However, the data can still be used in card-not-present (CNP) sales, or purchases made online or over the phone.

While the chip and magnetic stripe hold the same data, they are tied to two separate security codes. Magnetic stripe data is tied to your card’s CVV code, whereas the chip data has its own iCVV code.

Industry standards require card issuers and retailers to check both the chip and magnetic stripe security codes before authorizing a transaction. Therefore, most card readers should be safe from this type of attack so long as they follow the payment card industry’s best practices.

But card shimming can still lead to CNP fraud – such as online or mobile app purchases – where chip and iCVV data is not needed. Older payment card systems and ATMs may also be at risk if they have not kept up with EMV security standards.

What should I do?

While stealing chip card data is not as easy for fraudsters to pull off, it’s never a bad idea to look before you swipe. Use these tips to help keep your payment cards safe from card skimming and shimming scams:

  • Look for signs of tampering. Avoid using ATMs or card readers that appear damaged or dismantled.
  • Conceal your PIN. Cover the keypad when entering your PIN. Criminals may install small cameras near ATMs to capture your four-digit card PINs.
  • Move to tap-and-go. Many card companies have begun switching to contactless payment to combat POS and ATM tampering.
  • Notify retailers of suspicious card readers. If your card does not go into the machine smoothly, or it gets stuck, the card reader may have been tampered with.
  • Check your financial statements regularly. Contact your financial institution immediately if you notice suspicious transactions or other activities related to your accounts. Although credit card fraud is not the same thing as identity theft, it can often be an indicator that your identity has been compromised.

Meet the Author

John is General Counsel and Chief Privacy Officer of Sontiq, the parent company of the EZShield and IdentityForce brands. He is a Certified Compliance and Ethics Professional through the SCCE and has broad experience in an extensive variety of compliance and regulatory areas, including the FTC Act, UDAAP, Sarbanes-Oxley, GLB, Dodd-Frank, PCI Compliance, FCRA and state level regimes. John has experience as in-house counsel for both private and public companies, providing him with a strong foundation in understanding the needs of business owners of all sizes, as well as the individual consumers who ultimately use and benefit from Sontiq’s intelligent identity security solutions.


Related Insights

14 Tips for Safe Online Shopping

An increase in online shopping has been a boost for retailers across the country and…

See more


Why Credit Freezes Fail to Protect Against Identity Theft and Fraud

After the 2017 unprecedented Equifax data breach, protecting the personal information…

See more


Credit Monitoring Alone Is Not Enough

Credit monitoring alone does not protect you from identity theft. Watch this quick video…

See more

Sontiq
  • Facebook
  • Twitter
  • LinkedIn
  • Youtube
  • ID Theft Protection
  • Mobile Security
  • Identity Restoration
  • Breach Response
  • Small Business
  • Explore a Partnership
  • About Us
  • Trust Center
  • Press Room
  • Contact
  • Terms of Use
  • Privacy Policy
  • EU-US Privacy Shield Privacy Policy
  • EU GDPR Fair Processing Notice
  • Do Not Sell My Information

© 2021 Sontiq. All rights reserved.

Questions?
Call 1-888-6-SONTIQ
Send Us An Email
Live Chat