The new features, which NCR is calling SPS (for "skimming protection solution"), involve two elements. First—and most technically interesting—is a jammer that disrupts a skimmer that has been attached to the front of an ATM. When a motorized card reader pulls a payment card into the ATM, the electromagnetic jammer prevents a skimmer from reading the mag stripe on the card.
The second, more mundane technology is having the card-reading device send diagnostic information to the bank in real time when there's evidence of tampering.
How could any of this help block PINpad skimming? Most PINpads use a simple swipe slot, which makes installing a skimmer easy and jamming it almost impossible. Those motorized NCR ATMs don't read the card's mag stripe until it's safely inside the machine, but the card never goes inside a typical PINpad. That makes the jamming technology useless for most existing PINpads. But the technology that detects whether a skimmer has been attached should be pretty straightforward to adapt to POS devices.
Then again, the swipe slot is already the biggest security hole in the payment-card process. It has one advantage: It's cheap. The fact that it's also unreliable, hard to keep clean and highly prone to skimmer insertion should have sent it the way of the zip-zap machine long ago. Even without a motorized card reader, it should be possible to replace the swipe slot with an insert-and-remove slot that would make skimming harder and jamming effective.
That would also create a single slot for both mag-stripe and EMV chip cards, and start to nudge customers away from the swipe.
That's still the biggest barrier to overcome in moving on from mag-stripe cards. Cost? We thought that would be the problem in supporting more secure cards. But we're now a couple generations of PINpads past the introduction of both chip-and-PIN and contactless. Many stores have replaced their PINpads twice to add EMV and contactless capability, so that cost is no longer an issue—but the swipe still rules supreme.
The phone-home element should also be straightforward, and it duplicates something that really should be happening with every network-connected PINpad anyway. The most common non-skimmer attack on PINpads involves a thief disconnecting a POS device on a store's counter and swapping in one that's been tampered with. That event should show up on network logs, but it's only likely to be noticed when (and if) a network administrator gets around to reviewing the logs.
If the PINpad, however, is generating a real-time stream of anti-tampering information, that stream could be sent directly to systems that are paying attention—for example, at a card processor. If a new PINpad unexpectedly shows up at a store, the card processor could flag the device even before the first customer tries to use it. Likewise, if a PINpad detects that a skimmer has been attached, it could notify the card processor, which could notify the cashier immediately.
It's in the interest of card processors to add that kind of monitoring to their services, and that's the logical place to do it. It's already clear that retailers' own network logs aren't checked regularly enough. For smaller chains and individual stores, that may just not be practical. Processors, on the other hand, could check anti-tampering information even with dial-up PINpads.
Whether these technologies will actually show up in PINpads anytime soon depends on PIN-pad makers themselves. But now seems like a good time to cram anti-skimming and anti-tampering features into the devices. With an October 2015 deadline from Visa and MasterCard for retailers to be able to handle EMV cards, there will be lots of PINpad refreshes going on (most of them probably at the last minute).
And even though the anti-skimming technology applies only to mag-stripe readers, considering how hard it has been to kill mag stripes in the past, there's every reason to believe mag stripes (and skimming) will still be around for a long time.