The Arizona spree is just one of many such attacks striking self-service petrol payments across the U.S. Earlier this month, police in West Covina, Calif., launched a public awareness campaign about card skimming, after skimming devices were discovered at two separate gas stations. [See More Pay-at-the-Pump Skimming.]
Last year, police in Florida took their awareness campaign against skimming a step further, suggesting consumers avoid using pay-at-the-pump terminals all together, opting instead to paying inside, with cash.
Gray Taylor, a security and compliance expert with the National Association of Convenience Stores, better known as NACS, says pay-at-pump skimming incidents account for a relatively low percentage of card compromises. But public awareness and media attention have fueled concerns about a problem the retail and financial industries have been trying to battle for years.
"Most convenience stores are concerned about pay-at-the-pump skimming," Taylor says. "But they can only focus on so much."
Taylor says industry standards have diverted attention from pay-at-the-pump and instead forced merchants to focus on network security, called for by the card brands and the Payment Card Industry Data Security Standard, within their stores.
"There are 900,000 pay-at-the-pumps out there, and, literally, I have four keys in my desk that will open up every dispenser in the United States that has not been upgraded," Taylor says. "Today, you can buy new dispensers that have unique keys. The problem is doing something with the dispensers that are out there; getting these guys to upgrade."
The industry has known for years that pay-at-the-pump terminals are easy targets for skimming. The continued and widespread use of universal access keys, which are used to open pay-at-the-pump enclosures, are to blame. [See Pay-at-the-Pump Card Fraud Revs Up and Pay-At-The-Pump Skimming - a Growing Threat.]
"We recommend these operators use security tape, to easily see if the enclosure has been tampered with; and we're encouraging those who can't afford to upgrade to rekey their dispensers," Taylor says. "Those are the two lowest-hanging fruits."
Addressing Card Fraud at the PumpIn March, NACS launched its WeCare Decals, tamper-evident labels that aim to help retailers quickly identify potential security breaches. NACS also launched an awareness campaign that focuses on steps retailers can take to protect cardholder data at the pump. [See Skimming Concerns? Here's What You Need to Know.]
NACS' tips for POS security:
- Conduct daily inspections of card readers, PIN pads and unattended terminals.
- Be on the lookout for suspicious activity around pumps.
- Communicate with police.
But card issuers have been critical of the convenience store industry, saying until the use of unique codes or keys for entry at individual devices becomes widespread, skimming at gas pumps will continue. Bankers also suggest that until liability for card fraud linked to skimming is put back on merchants, the industry will have little incentive to invest in technology and upgrades. [See Michaels Breach: Who's Liable?]
Taylor says that's a misnomer. "[Card] Issuers are paying for half the fraud," he says. "Merchants are paying half of the fraud. The only people I know who aren't paying for the fraud are Visa and MasterCard."
Taylor estimates that the average convenience-store operator pays about $900 annually in charge-backs for fraudulent card transactions not addressed by PCI.
"I can see where the banks are frustrated," he says. "But there has to be a middle ground. The average convenience store paid about $9,200 to become PCI [compliant], and that did nothing for the pay-at-the-pump problem; there is nothing about dispensers in PCI. That's why we're trying to get some rational point-to-point encryption. Even though PCI did not say anything about it, we are telling operators it's not about compliance; it's about risk reduction."
Jeremy King, European regional director for the PCI Security Standards Council, says the PCI PTS standard encompasses unattended terminals, such as pay-at-the-pump, and security guidance for merchants is included in the standard. King also points to emerging technology, saying, "There are anti-skimming devices now becoming available that can detect the presence of a skimming device, because a lot of the skimmers these days, they tend to transmit the data," even if they are installed inside terminals, hidden from view. [See An End to Pay-At-The-Pump Skimming?]
Taylor adds that if all of the fraud is turned back on the merchants, merchants will simply take pay-at-the-pump away. The better and most immediate solution, he says, is requiring that every transaction be authenticated, with a PIN. "Signature debit, we know, has more fraud. If it were up to us, we'd have done this a long time ago. It comes down to authenticating the transaction."