What Is Credit Card Shimming?

Quick Answer

Credit card shimming happens when a scammer places a device on a card reader, such as at an ATM or gas pump, to steal data from a card’s microchip.

A woman's hand with red nails inserting credit card to ATM.

Credit card shimming is a technique used by identity thieves to steal credit card data. It's done by placing a small device on a payment terminal that scans your card's microchip and stores card information. Data from the device can then be downloaded and used to commit fraud.

While shimming is a common threat, especially at ATMs and gas stations, you can take steps to prevent it from happening to you.

What Is Credit Card Shimming?

Credit card shimming refers to the theft of data on a card's microchip during a transaction at an ATM or point-of-sale terminal. Debit cards and credit cards alike are susceptible to shimming.

With a shimming device installed on an ATM or point-of-sale terminal, a crook can steal the data contained on your credit card's chip. They then can use the data to create a fake card.

Unless you take apart a machine and look for a shimming device, you likely won't be aware that this device is tucked inside an ATM or point-of-sale terminal. The super-thin shimming device is positioned inside the machine's card reader slot, and is designed to be undetectable to anyone using the terminal. Once the device has shimmed data from unsuspecting cardholders, the crook then pulls the shim out of the machine to retrieve the stolen data.

Where Are Shimming Devices Found?

Shimming devices are commonly found at:

  • Gas pumps
  • ATMs
  • Vending machines
  • Parking meters

Shimming vs. Skimming

Shimming is more sophisticated than skimming, another tactic that thieves use to steal information from a credit card:

  • Skimming happens when devices illegally attached to ATMs, gas pumps and point-of-sale terminals grab card data from magnetic stripes or store card PINs. With this information, a scammer can create phony credit or debit cards.
  • Shimming devices began popping up when card issuers added microchips to complement magnetic stripes. Shimming is a method that scammers use to steal card information from microchips. Nowadays, with the introduction of chip-enabled cards, shimming is the "new" skimming.

In a shimming scheme, a crook steals data found on a card's chip rather than its magnetic stripe. But although the technique is different, the result may be the same—the theft of money from your credit card account or bank account.

Unfortunately, shimming devices are harder to spot than skimming devices. That's primarily because shimming devices are out of sight and are much smaller than skimming devices.

Nonetheless, experts say using a chip-enabled card is a more secure option than using a magnetic-stripe card.

How to Protect Yourself from Shimming

Here are five proactive steps you can take to help protect yourself from shimming:

  1. Use contactless payments. Take advantage of contactless payment methods like Apple Pay, Google Pay and Samsung Pay.
  2. Pay inside. At a gas station, pay for your fill-up inside the station rather than at the pump.
  3. Turn to bank-owned ATMs. Try to use a bank-owned ATM rather than a non-bank ATM. Non-bank ATMs, such as those you might find at convenience stores, may not be as secure as those operated by financial institutions.
  4. Look for a safer ATM. Crooks tend to install shimming devices in ATMs in poorly lit, less public places. Therefore, you should try to conduct your business at ATMs in well-lit public places.
  5. Watch the card slot. Pay attention to how easily your card fits into a card reader slot. If it's difficult to slide your card into the slot, be suspicious. This might mean a crook placed a shimming device inside the card reader.

What to Do if You're a Victim of Credit Card Shimming

While you may have taken the right steps to prevent card shimming, you still might become a victim. So, what do you do if that happens?

  • Contact the card issuer right away. As soon as you're aware that your credit or debit card has been shimmed, reach out to the card issuer or bank.
  • Set up fraud alerts. You have the right to request a free fraud alert through Experian or the two other major credit bureaus (Equifax and TransUnion). A fraud alert asks creditors to verify your identity before issuing new credit in your name.
  • Keep an eye on your accounts. Review your credit card and bank statements to see if any suspicious transactions show up.
  • File a report with the Federal Trade Commission (FTC). Visit the FTC's IdentityTheft.gov website to submit a report about suspected shimming.

The Bottom Line

Scammers are always looking for a way to make a quick buck. One of their favorite methods is credit card shimming. By installing a shimming device at a gas pump, for instance, a thief can steal data from a card's microchip and then create a fake card. If you suspect you've been the victim of a shimming scheme, take action as quickly as possible—it may spare you further distress.