Card Skimmers: How to Detect Them and What to Do Next

Card skimming remains one of the most common and financially damaging forms of payment fraud in retail and food service environments. A skimmer is an unauthorized device attached to or inserted into a legitimate payment terminal to capture card data — account numbers, expiration dates, and in some cases PINs — without the cardholder or the merchant knowing.

Skimmers have become smaller, harder to detect, and increasingly sophisticated. What once required a visibly bulky overlay on an ATM card slot can now be a paper-thin circuit board inserted inside the terminal housing, invisible to staff and customers. For multi-location operators managing hundreds of payment devices, the risk is proportional to the fleet size — and the consequences of a skimming incident extend well beyond the immediate financial losses.

How Skimmers Work

Skimming devices capture card data at the point of interaction — the moment the card is dipped, swiped, or tapped. The most common types fall into three categories.

Overlay skimmers sit on top of the terminal’s existing card reader. They are designed to match the appearance of the terminal so that staff and customers do not notice the addition. When a card is inserted or swiped, the skimmer reads the magnetic stripe or chip data before passing it through to the legitimate reader. The transaction processes normally, and neither the cardholder nor the merchant has any indication that data has been captured.

Internal skimmers are installed inside the terminal housing, typically by someone who has gained brief unsupervised access to the device. These are significantly harder to detect because there is no visible change to the terminal’s exterior. Internal skimmers intercept data from the card reader’s circuitry and store it locally or transmit it wirelessly.

PIN capture overlays are placed over the terminal’s keypad to record the PIN as the cardholder types it. When combined with a card data skimmer, the attacker has everything needed to produce counterfeit cards and withdraw cash. Some sophisticated devices capture both card data and PINs in a single integrated unit.

What to Look For

Detecting skimmers requires a combination of physical inspection, awareness, and routine. No single check catches every variant, but a consistent inspection protocol significantly reduces the window of opportunity for attackers.

Start with the card slot. Does it look and feel the same as other terminals of the same model in your fleet? Overlay skimmers often introduce slight differences in color, texture, alignment, or thickness. If the card slot feels loose, protrudes further than normal, or does not match the profile of an identical terminal, that warrants investigation.

Check the housing. Are all screws present and undamaged? Are there signs of prying, scratching, or adhesive residue around seams? Internal skimmers require the housing to be opened, and even careful installation can leave traces. Tamper-evident seals or stickers — if used — should be intact and show no signs of removal or reapplication.

Examine the keypad. Does it feel normal when keys are pressed? Overlay keypads can feel spongy, slightly raised, or different in resistance compared to the original. If the keypad feels unfamiliar to staff who use it daily, take the terminal out of service and inspect it.

Look for anything unexpected. Additional wiring, components that do not match the terminal’s standard build, unusual devices near the terminal (which may be wireless receivers), or Bluetooth signals from unknown devices in the area. Some modern skimmers transmit data via Bluetooth to a nearby collection device — a phone or small receiver within range.

Compare terminals across locations. Consistency is a powerful detection tool. If one terminal in a fleet of identical devices looks, feels, or behaves differently from the others, that inconsistency deserves attention.

Building a Detection Routine

The most effective defense against skimmers is a regular, documented inspection schedule. Staff at each location should inspect payment terminals at defined intervals — daily for high-traffic environments, weekly at minimum. The inspection should follow a standardized checklist that covers the card slot, housing, keypad, cabling, and any tamper indicators.

Inspections should be logged. A simple record of who inspected which terminal, when, and what they found creates accountability and provides evidence of due diligence if an incident occurs. It also helps identify patterns — if a specific location or terminal type is targeted repeatedly, the security response can be adapted.

Staff training is essential. Employees who interact with payment terminals daily are the first line of detection, but only if they know what to look for. Training should include visual examples of skimming devices, a clear procedure for reporting suspicious findings, and the explicit instruction that a suspect terminal should be taken out of service immediately — not left in operation while someone investigates.

What to Do When a Skimmer Is Found

The immediate priority is containment. Remove the terminal from service. Do not attempt to remove the skimming device — it may contain evidence that law enforcement will need, and handling it could compromise forensic analysis.

Notify your payment processor and acquiring bank. They will initiate their own fraud investigation and may issue alerts to cardholders whose data may have been compromised. Timely notification limits the window for fraudulent transactions and demonstrates that the merchant acted responsibly.

Report to law enforcement. Card skimming is a federal crime in most jurisdictions. Filing a report creates an official record and may contribute to broader investigations — skimming operations often target multiple merchants across a region.

Engage your managed service or technology partner. NewBold has extensive history working with customers that have been victimized by skimmers, partnering with them to assess the broader fleet, identify additional compromised devices, and implement hardening measures to reduce the risk of recurrence. Field service teams with hands-on experience in skimmer detection can identify compromise indicators that internal staff may miss.

Document everything. Photographs of the device, the terminal, and the location. Timeline of discovery. Names of staff involved. Actions taken. This documentation supports the fraud investigation, satisfies PCI incident reporting requirements, and informs the security improvements that should follow.

It is worth noting that even with thorough investigation and effective mitigation, skimming incidents always carry a material cost and ongoing security risk. Recovery involves forensic investigation, card reissuance coordination, potential regulatory reporting, and the operational disruption of securing and replacing affected devices. The financial and reputational impact reinforces why staying vigilant with prevention is so critical — the cost of a robust inspection and hardening program is a fraction of the cost of a single skimming incident at scale.

Prevention and Hardening

While detection is essential, prevention reduces the opportunity for skimmers to be installed in the first place. Physical security measures include tamper-evident seals on terminal housings, security brackets or mounts that prevent unauthorized removal, and restricted access to terminal internals.

Chain of custody matters from the moment a device is procured. Terminals that pass through multiple handlers before reaching the store — manufacturer, distributor, third-party key injection facility, staging warehouse, shipping carrier — create opportunities for tampering at each handoff. Consolidating procurement, key injection, staging, and deployment through a single partner with a documented chain of custody reduces this attack surface.

Encryption provides the final layer of defense. Payment terminals with properly injected encryption keys protect cardholder data even if a skimmer captures the raw card interaction. Point-to-Point Encryption (P2PE) and End-to-End Encryption (E2EE) solutions ensure that captured data is encrypted from the moment of card interaction, rendering it useless to an attacker without the decryption keys.

For more on how key injection, terminal hardening, and chain-of-custody controls protect payment devices, see the full Key Injection & Payment Device Security Guide.