A new report from KrebsonSecurity analyzed the recent gas pump skimming device activity in New York, which compromised customer credit card information at three different gas stations just this month. Gas stations are one of the last retailers to incorporate EMV technology into their pumps, leaving their terminals more vulnerable to theft. In December, Visa adjusted their deadline from 2017 to 2020 for all fuel stations to adapt this technology, delaying the shift even further.
U.S. retailers have been adopting EMV technology (otherwise known as the “chip” card) exponentially every year. EMV cards contain an embedded microchip which provides an extra layer of security on consumer data. Every time an EMV card is used for payment, the chip (unlike the magnetic strip) creates a unique transaction code that cannot be re-used. As of March, 600 million chip cards have been issued to American consumers. MasterCard reports counterfeit fraud (in terms of U.S dollars) has dropped by over 60-percent since enabling EMV technology.
Although slow to start, the shift for fuel makers towards EMV technology has officially began, with the first fuel pump making company in the U.S. successfully installing a chip card reader in their pumps.
Gilbarco, based in Burlington, N.C. announced in June the first EMV chip card transaction from a fuel dispenser. Many gas stations provide EMV terminals inside their stores, but fail to include them on the actual gas pumps outside. This year, we’ve seen hackers seize the opportunity to infect gas pumps with credit card skimming devices, targeting the magnetic stripe on customer’s cards.
The cost and physical installation of the terminals have been the biggest pains for gas stations looking to implement EMV technology. According to Gray Taylor, executive director of Connexus, about a third of the 750,000 pump dispensers are too old and would need to be replaced in order to accept chip cards. The average price for a replacement unit? $17,000 – and that’s not including the price of new hardware and software gas stations may have to install in order to support EMV.
Jared Scheeler, managing director of The Hub Convenience Stores Inc., stated it had cost his chain of four North Dakota convenience stores $134,000 to install point-of-sale and pump devices that accept EMV transactions. Overall, convenience stores and gas stations would have to spend over $7 billion to integrate EMV technology into their machines.
Another challenge that lies within gas station’s quest for EMV is a federal regulation, which requires a technician to perform a safety check each time a gas station replaces a fuel-dispenser. The technicians licensed to do this are short in supply, and may give priority to large retailers over small stores.
These challenges are a few of the reasons Visa has extended its deadline for all fuel stations to revamp their pumps. But what’s at stake for gas stations? Skimming, vulnerabilities and data threats widen without the usage of EMV.
Merchants of Visa who are EMV-enabled saw a 43-percent decline in counterfeit fraud, which would likely carry over to gas stations. According to Bloomberg, fuel retailers currently see about $250 billion in fraud annually. KrebsonSecurity said gas station skimming fraud makes up for 1.3 percent of total U.S. card fraud – and in August 2016, certain stations saw more skimming in a single month than the entire prior year. As other payment outlets and terminals become more secure, it’s probable to suspect fraudsters to harp on weak and unprotected POS terminals.
To mitigate fraud with three years to go before the liability shift, Visa and MasterCard have introduced fraud prevention tools, such as the Visa Transaction Advisor, which has been “particularly successful in driving fraud lower at fuel dispensers,” according to a Visa spokesperson.
Gas pumps would potentially benefit most from EMV’S anti-fraud technology, as they’re unattended devices, but it’s important to remember that EMV is only a piece of the complete security puzzle. In the meantime, merchants are focusing on the use of tokenization and point-to-point encryption (P2PE) - both methods which bolster security. With P2PE, customers’ payment data is encrypted instantly at point of capture, and is protected throughout the complete lifecycle of a transaction. Tokenization assigns random values to payment data, making it almost impossible for hackers to access the data itself.
Do you have a payments trend or regulation you want us to look into? Drop us a line in the comments and we would be happy to help.