What is Card Skimming? How Criminals Steal Card Data at ATMs, Gas Pumps, and Checkouts
Card skimming installs hidden hardware on payment terminals to steal card details the moment a card is swiped or inserted. Here's how it works, where it happens most, and what it means for online merchants dealing with the resulting fraud.
Picture a coffee shop with a hidden camera mounted above the card reader, small enough that no one notices, positioned perfectly to record every card number as it is typed on the PIN pad. The criminals never set foot in the shop again. They retrieve the footage remotely, extract hundreds of card numbers, and sell them before the card holders have any idea something happened.
That is card skimming. Except the camera is a circuit board, and the coffee shop is more likely a petrol station forecourt or an ATM vestibule.
What is card skimming?
Card skimming is the theft of payment card data by installing a hidden device on or inside a legitimate card reader. The device intercepts card details the moment a card is used, copying them without the card holder or the business owner ever knowing.
The stolen data is then used to:
- Clone the card as a physical counterfeit for in-store fraud (using magnetic stripe data)
- Make online purchases with the card number, expiry date, and CVV (card-not-present fraud)
- Sell the data on dark web marketplaces where stolen card details are traded in bulk
The average stolen card number sells for a few dollars. A single well-placed skimmer at a busy ATM can capture hundreds of cards in a weekend.
Where skimmers are found
ATMs
Bank ATMs were historically the most common target, and remain a significant one. A skimmer fits over the card slot and captures the magnetic stripe as the card enters. A separate hidden camera or a PIN pad overlay captures the PIN. Both pieces together allow a criminal to clone a card and use it for cash withdrawals.
Modern skimmers are extraordinarily thin. Some fit inside the card slot itself, invisible to anyone who does not know exactly what to look for.
Petrol station pumps
Fuel pumps in many countries still use older hardware that is easier to tamper with, and the pump cabinets are often unlocked with a single master key that works across thousands of stations from the same manufacturer. Criminals open the cabinet, install an internal skimmer connected directly to the card reader wiring, close it back up, and leave. The skimmer may transmit data wirelessly or be retrieved weeks later on a return visit.
In the United States, petrol pump skimming accounts for a significant share of card fraud. Rural and motorway stations are particularly targeted because they receive less oversight and are visited by a high volume of travellers unlikely to return to dispute a charge.
Point-of-sale terminals
Handheld and countertop payment terminals in restaurants, retail shops, and hotels are physically accessible to criminals who can swap or tamper with a device during a distraction. "POS swapping" involves replacing a legitimate terminal with a pre-compromised clone, or inserting hardware into a legitimate device during a maintenance visit.
This form of skimming requires more access but yields high-quality data from many different card holders who use that specific terminal.
POS terminal skimming often involves insiders. A compromised employee who handles card readers can install or enable a skimmer far more easily than an external attacker. This is one reason PCI DSS requires merchants to inspect payment terminals regularly and log any changes of custody.
What about chip cards?
EMV chip cards significantly reduced magnetic stripe cloning fraud at chip-capable terminals, because each chip transaction generates a unique one-time code that cannot be reused. Cloning the stripe data from a chip card is less useful if the merchant requires the chip to be dipped.
Criminals adapted in two ways:
Shimming: A shim is a thin device inserted into the chip card slot that intercepts some chip transaction data. It is harder to exploit than magnetic stripe skimming, but data from shims can still be used for card-not-present fraud, since online purchases never verify the chip.
Shift to online fraud: The bigger change is that as physical cloning became harder, criminals shifted the use of stolen data toward online purchases. Card-not-present transactions require only the card number, expiry date, and CVV, none of which are protected by the EMV chip. Skimmed data that cannot make a convincing cloned card is still perfectly usable for online fraud.
What skimming means for ecommerce merchants
If you run an online store, card skimming is not your problem directly. No one installs hardware on a web server. But the data that skimmers collect ends up in the online fraud ecosystem, and your store is where that data gets spent.
Card-not-present fraud: Fraudsters use skimmed card numbers to place orders on online stores. They typically use a reshipping service or a drop address to receive the goods. The card holder later disputes the charge, and the chargeback lands on you.
The chargeback math: In card-not-present fraud, the merchant nearly always loses the chargeback. Unlike in-person fraud with a chip card, there is no PIN verification or chip authentication to point to. You shipped the goods and the card holder says they did not authorise it. The card network rules generally find in the card holder's favour.
Fraud velocity spikes: Stolen card data is often tested on small purchases before larger ones. If you see an unusual spike in low-value declined transactions followed by successful orders, you may be seeing a fraud batch working through skimmed card numbers.
Address Verification Service (AVS) and CVV checks are basic fraud filters, but professional fraudsters often have both the billing address and CVV alongside the card number. These checks reduce noise but do not eliminate the risk. The strongest signals are device fingerprinting, velocity rules, and address-to-card holder mismatch analysis.
The connection to Magecart
Physical skimming and Magecart are different attacks, but they supply the same criminal market. Stolen card data, whether captured from a petrol pump in Essex or scraped from a checkout page in Yorkshire, ends up in the same dark web marketplaces, sold to the same fraud operations, and used to make the same kinds of fraudulent purchases at online stores.
This is why payment page security matters even if you run a fully hosted checkout. Your customers' card data is at risk from many directions. A store with weak payment page security is an additional collection point for the criminal ecosystem, compounding the fraud burden that skimmed data already creates.
Read more about how web-based skimming works in our Magecart attack guide, and see whether your payment page has the controls that would stop a digital skimmer from operating on it by running a free scan with our Payment Page Security Checker.
If you want a fuller picture of your payment environment's security posture, including PCI DSS compliance questions around terminal inspection requirements, get in touch.
Technical Overview
Related Articles
What is a Magecart Attack? A Plain-English Guide for Online Store Owners
Magecart attacks quietly steal your customers' card numbers as they type. Here's how they work, why they hit small stores just as often as big ones, and what you can do about it.
What is a Supply Chain Attack? When the Software You Trust Becomes the Threat
A supply chain attack compromises software or services that you depend on, so attackers reach you through a vendor you already trust. Here's how it works, why it's behind many of the biggest breaches, and what ecommerce merchants can do about it.