Fuel pumps have long been a favorite target of identity thieves. Now, with the introduction of more secure chip card transactions at many retailers, they’ve become an even more popular source of stolen credit card information. What can operators do to keep their businesses and the millions of Americans nationwide who fill up every day safe from fraud?
A recent article on CreditCards.com has dubbed 2016 “The Year of the Gas Station Skimmer”, a small electronic device used by criminals to obtain information from scanned and stored card data from the magnetic stripe of a credit card. Skimming technology has advanced considerably, enabling fraudsters to install difficult-to-detect devices the size of a small thumb drive at the pump to prey on unsuspecting customers using vulnerable magnetic stripe payment cards.
The Wall Street Journal recently reported on why gas stations specifically are at special risk of being targeted. “The crime wave has been driven by the flood of stolen credit card data easily accessible online, much of which was swiped in high-profile breaches. . . Gas stations make easy targets for those who want to make fraudulent purchases using stolen numbers, since pumps are usually unattended,” it notes. “In addition, law enforcement officials say it is increasingly common for crooks to rig pumps with ‘skimming’ devices, which capture data from the magnetic strip on customers’ cards. Thieves can use that data to create counterfeit cards.”
According to the
National Association of Convenience Stores (NACS), approximately 39 million Americans fuel their vehicles every day, and 29 million of them pay for their purchase with a credit or debit card. A skimmer installed on just one pump can capture account information from 30 to 100 cards per day. As long as the device goes undetected, thousands of accounts are jeopardized.
In late 2015, Conexxus — NACS’ non-profit technology and standards arm — held a webinar entitled “Defending the Island” that dealt with this specific issue. According to webinar moderator Kara Gunderson of Citgo Petroleum Corp., “The devices are being found at small merchants, large merchants, urban, rural, new and old convenience stores, so nobody is exempt.”
The second major factor contributing to fraud at the pump is that fact that most fueling stations have not yet begun the transition to EMV®-capable technology that can process more secure chip cards. Unlike retailers who faced an October 2015 deadline, the liability shift deadline for automated fuel dispensers is October 2017. The extension gives gas stations two extra years to comply due to the cost and time required to replace the payment terminals and have them re-certified by state officials.
In the meantime, Conexxus advises gas station operators to take the following precautions to help prevent thieves from installing skimmers and to protect the customers:
- Change the locks on gas pumps.
- Use and track pump security seals located near the credit card reader. If the pump is opened, the label will read “void”, indicating that tampering has occurred.
- Shut down and bag suspect pumps, and have them checked for skimmers.
- Inspect pumps on a daily basis.
“There’s no excuse for a merchant to get skimmed,” Conexxus Executive Director Gray Taylor told CreditCards.com. “Our theory is, if we have one skimmer in the industry, it’s too much.”
EMV is a registered trademark or trademark of EMVCo LLC in the United States and other countries. www.emvco.com.