blank

New Criminal Provision Prohibiting the Possession of Skimming Devices

The North Carolina legislature recently passed S.L. 2021-68 which amends the existing financial transaction card theft statute to include knowingly possessing, selling, or delivering a skimming device.

What Is Skimming?

Skimming is a type of credit card theft where criminals use a small device to steal credit card information during an otherwise legitimate credit or debit card transaction. When a credit or debit card is swiped through a skimming device, the device captures and stores all the details stored in the card’s magnetic strip, including the card number, expiration date, and the card holder’s full name. Thieves use the stolen data to make fraudulent charges either online or with a counterfeit credit card.

Skimming devices are most commonly installed on ATMs, point-of-sale (POS) terminals, or fuel pumps. Fuel pump skimmers are usually attached in the internal wiring of the machine and aren’t visible to the customer. ATM skimmer devices usually fit over the original card reader. Pinhole cameras also are installed on ATMs. They record a customer entering their PIN; the camera placement varies widely. In some cases, keypad overlays, which record a customer’s keystrokes, are used instead of pinhole cameras to record PINs. The data collected by the skimming device is downloaded or wirelessly transferred later.

Skimming device fit over original card reader

Keypad overlay

Existing Law

Before the enactment of S.L. 2021-68, the financial transaction card theft laws did not explicitly include skimming devices. G.S. 14-113.8 provides a definition of “scanning device,” which means a scanner, reader, or any other device that is used to access, read, scan, obtain, memorize, or store, temporarily or permanently, information encoded on a financial transaction card. This definition presumably encompassed skimming devices because they serve the same functions.

Under G.S. 14-113.9(a)(5), a person is guilty of financial transaction card theft when the person, with the intent to defraud any person, either (i) uses a scanning device to access, read, obtain, memorize, or store, temporarily or permanently, information encoded on another person’s financial transaction card, or (ii) receives the encoded information from another person’s financial transaction card. This provision implicitly prohibited the use of skimming devices.

There are plenty of legal scanning devices readily available and widely used, such as merchant card readers and point-of-sale (POS) terminals. These systems allow a customer to swipe, tap, or insert a card to process payments at retail locations. For this reason, scanning devices are only illegal when used with the intent to defraud. Skimming devices, on the other hand, are incapable of processing financial transaction card information in a transaction with a merchant. They serve no legitimate function. Thus, their use will typically involve an intent to defraud under current law.

Why a New Law?

I see two reasons for the new law. First, it removes any ambiguity about whether skimming devices are covered under the definition of scanning device under current law. Second, mere knowing possession of a skimming device will be a crime since it serves no legitimate purpose. Scanning devices will continue to be defined separately so that mere possession, without an intent to defraud, will remain lawful.

Under new G.S. 14-113.9(a)(6), a person will be guilty of financial transaction card theft if the person

  • knowingly
  • possesses, sells, or delivers
  • a skimming device.

The new provision includes some exceptions. It does not apply to an employee, officer, or agent of any of the following while acting within the scope of the person’s official duties: a law enforcement agency; state or federal court; agency or department of the state, local, or federal government; and a financial or retail security investigator employed by a merchant.

New G.S. 14-113.8(11) contains a definition of prohibited skimming devices. It is:

A self-contained device that

  • is designed to read and store in the device’s internal memory information encoded on the computer chip, magnetic strip or stripe, or other storage mechanism of a financial transaction card or from another device that directly reads the information from a financial transaction card and
  • is incapable of processing the financial transaction card information for the purpose of obtaining, purchasing, or receiving goods, services, money, or anything else of value from a merchant.

The law amends the existing definition of “scanning device” to specifically exclude a skimming device. Offenses committed on or after December 1, 2021 will be punishable as a Class I felony in line with the other methods of credit card theft and fraud.

If you have any questions about the application of these new provisions, please feel free to email me at bwilliams@sog.unc.edu.