Visa Targets Pay-at-Pump Card Fraud

Experts: New Analytics Service Shows Fraud-Detection Promise
Visa Targets Pay-at-Pump Card Fraud

Visa's new intelligent analytics service aims to help gas stations and convenience stores reduce pay-at-the-pump card fraud.

See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation

But fraud experts say the service, known as Visa Transaction Advisor, also could help reduce fraud associated with other types of card transactions. And it may help bridge the security gap until the migration from magnetic-stripe cards to chip-based technology.

"We think there are a number of additional places where this could work to reduce fraud and to provide risk intelligence," says Mark Nelsen, head of risk products and business intelligence at Visa.

This service is not offered free of charge. Merchants sign up for Visa's analytics through their acquiring institutions.

The pilot is now over, and Visa is in the first phase of its rollout, Nelsen says. Because Visa is selling the service to acquiring institutions, merchants interested in the service should contact their acquirers to find out if and when they can enroll.

How it Works

The service works simply, Nelsen explains. "When the consumer swipes their card at the gas station, that data is sent to Visa."

Visa analyzes the cardholder data to determine if the card may have been compromised in a breach or reported stolen. Nearly 500 other pieces of data are simultaneously pulled together to create a risk score at the time the card is swiped.

If the risk of the card surpasses the threshold set by the merchant, the transaction is paused and the cardholder is asked to see the store attendant to complete the transaction.

Beyond the Pump

Card-not-present transactions processed by e-commerce merchants, which also are prime targets for fraudulent transactions, could benefit from this type of analytics as well, Nelsen says. Like self-service gas pumps, e-commerce sites are often plagued by fraudulent transactions linked to stolen card data.

But the unattended environment poses unique risks, says Gray Taylor, executive director of Conexxus, a member-based technology consortium dedicated to developing standards for the convenience store and petrol market. And because gas station retailers are liable for the losses that result from fraudulent self-service transactions, Visa is focused on trying to help gas stations reduce their fraud losses first.

"I think Visa is really taking a good solid look at addressing white-card fraud," which results when stolen card data is used to make fraudulent purchase, Taylor says. "It doesn't get a lot of publicity, but there are hundreds of millions of dollars in fraud that go through fuel dispensers because we don't use a PIN."

Because most gas purchases at self-service pumps have minimal authentication, fraudulent fuel purchases have become as fundable as cash, he says.

"You get guys that walk in with a stack of white cards, and they'll literally just stay at the pump and pump out diesel, filling up [portable] gas cans that they take down the road and sell for 30 percent less than what the gas station is selling it for. I had one guy whose station was losing $200,000 a month this way. And it never gets a lot of press, because it's not a huge a consumer abuse; the merchant absorbs the cost."


Visa's Mark Nelsen on why gas pumps are prime targets for fraud, and thus a focus for Visa's new service.

Chevron, which began piloting Visa's service in late January at 300 stations, saw a 23 percent reduction in its rate of fraud chargebacks within just a few months, Nelsen says.

Requests for comment from card brands MasterCard, American Express and Discover about Visa's new program, and whether their networks are offering similar services, were not received by the time this story posted.

Bridge to EMV?

While fraud rates for gas-pump transactions are not reported by the card brands, financial fraud expert and distinguished Gartner analyst Avivah Litan estimates fraud at self-service pumps is three to four times higher than it is at the average point-of-sale.

"Older gas pumps are also easily skimmed," she says. "And gas stations are prime targets of fraudsters because gas pumps are unattended. Gas pumps are often used to test stolen cards."

Litan notes that fraudsters often use unattended self-service pumps to buy gas with stolen cards that they later sell to truck drivers who don't want to pay for full price for their fuel.

"Visa and MasterCard are both busy trying to innovate fraud-detection services for merchants, and this is just one more example of this," Litan says.

While the fraud liability shift for most merchants that have not yet upgraded their POS terminals to accept chip cards that conform to the Europay, MasterCard, Visa standard, better known as EMV, is October 2015, the shift date for gas-pumps is not until 2017. Nelsen says Visa's service aims to help insulate gas retailers until 2017, as they are likely to be increased targets for fraud once EMV is rolled out elsewhere.

Taylor says Visa realizes the full rollout of EMV at gas pumps will likely take 10 years, and the intelligence analytics service is a way to ensure the gap is bridged.

"What Visa is doing is admitting that it's going to take some time," Taylor says.

But charging merchants for the service will likely receive some pushback, Taylor and Litan agree.

"Some gas station owners will prefer not to pay Visa [through their acquiring banking institutions] any extra fees for this service," Litan says. "Many large gas station operators have found that by just prompting the cardholder for their zip code they have been able to substantially reduce fraud by at least the same amount claimed by the Visa pilots."

A Complementary Offer?

But Shirely Inscoe, a financial fraud expert and analyst for consultancy Aite, says fuel merchants should focus more on the bigger picture of fraud reduction.

"EMV is still in the future, and these losses are happening regularly now," she says. "It would be foolish for Visa to withhold such an effective solution just because EMV is coming. Over time, with more transactional data, this solution is likely to become even more effective."

And while EMV is definitely coming to the U.S., fraudsters will figure out ways to get around it, Inscoe adds. "Multiple layers of security will always be warranted, so Visa is not making any particular statement with this new product except that they want to help reduce fraudulent transactions in the network. Hopefully, they will expand this capability to other merchants or services, as appropriate."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.