Experts are saying that U.S. gas stations should brace for upticks in pay-at-the-pump skimming attacks. These attacks are expected to surge between now and the end of 2016, as fraudsters shift from physical points of sale toward unattended self-service terminals, such as self-serve gas pumps and ATMs.
Why this change? While the EMV fraud liability shift for physical point-of-sale devices in the U.S. was October 2015, the liability shift for self-service gas pumps does not take effect until October 2016 for MasterCard and October 2017 for Visa. October 2017 is also the date set by both card brands for EMV fraud liability shifts at U.S. ATMs. This makes attaching credit card “skimmers” to these unattended devices a very attractive option to fraudsters. Bluefin’s PCI-validated P2PE security solutions can help protect card data in the event of certain types of skimming attacks.
What Exactly is Skimming?
Skimming is essentially stealing credit card data through the use of devices that capture account data anywhere a card is swiped; the skimming devices (also called skimmers) read the magnetic stripe on a credit or debit card and can easily store card information and a PIN number. Once someone has this data, it’s simple to make counterfeit cards to withdraw money from ATMs or sell credit card information on the black market.
These devices are easy to install, especially because many gas station pumps can be opened with the same few master keys, making it simple for fraudsters to open the pumps and insert skimming hardware. Skimmers of the old days were external devices placed over the real card readers, PIN keypads or both. When a customer inserts their card or enters a PIN, the device saves the information. These external pieces are easier to install, but also, thankfully, easier to spot.
However, fraudsters are getting more sophisticated with their skimming attacks and there’s been a rise in wireless skimmers. These types of skimmers are hidden internally in the pump and extract credit card data wirelessly. This way crooks don’t have to retrieve the device to get the account information — they can sit miles away and download everything to a laptop.
“Unattended, and especially older, self-service gas pumps are, and have always been, a very attractive target for criminals,” says financial fraud expert Avivah Litan, an analyst at consultancy Gartner. “And they will become increasingly attractive, as these will be some of the last payment acceptance devices to be upgraded to EMV in the U.S.”
Pump Protection is Key
So if there will be an increase in skimming attacks against self-serve gas pumps as EMV continues to roll out, how can merchants protect themselves? There are several physical steps retailers can take to mitigate risks:
1. Pump inspection
External skimming devices are designed to be attached and removed quickly, so they often aren’t attached to pumps securely. Tug on card readers and PIN keypads to determine if they’re real or fake. Skimming devices should pop right off.
For internal technology, those will usually be installed at the pumps farthest from the view of the counter clerk. Take photos of how the inside of a pump should look and have employees compare them to the real thing a few times a day. Daily inspections will uncover skimming technology that shouldn’t be there.
Also keep an eye out for small cameras installed to capture PIN numbers and anything else that makes one pump look out of place compared to the others.
2. Use tamper-evident labels on pump face plates
Add red anti-tampering tape across all pump openings to discourage crooks from installing internal skimming software. The tape also makes it easy to tell when a pump has been broken into. If the tape is removed or tampered with in any way, it will show “void” text across it, alerting employees and customers to possible problems.
3. Install new pumps
Though the first two methods identify when a card skimmer has been installed, they don’t prevent installation. And though catching the devices sooner protects future customers from corrupted account data, it doesn’t do anything for the customers who swiped their cards before the devices were found.
A more effective option is to install new pumps that contain anti-tampering devices, credit card chip readers, and P2PE.
P2PE at the Pump
Bluefin’s PCI-validated Point-to-Point Encryption (P2PE) encrypts all data within an approved credit card point of entry swipe or keypad device. This prevents clear-text cardholder data from being available in the device or in the system, where it can be exposed to malware and become compromised.
So how does P2PE help with skimming? Thieves who attempt to skim wirelessly will get no clear-text data. While they may be able to install the devices to wirelessly skim, the output of their efforts will be useless. P2PE is the epitome of devaluing card data.
P2PE, however, cannot help with skimmers attached over the pumps as these devices are design to be “dummies” that consumers insert their cards into. In the case of physical skimmers, merchants must be diligent in checking their pumps on a consistent basis.
In a world where only the most comprehensive cyber security measures offer full protection from data fraud, it’s more important than ever to keep your customers’ information secure. If you have further questions about skimming technology, or wish to learn about Bluefin’s holistic approach to security and our P2PE services, contact us today.