Tag Archives: retailers

No comments

Chip Card Storm Brews

  By BlogAdmin May 10, 2019 , , , ,

Jeremie Myhren - chief information officer for Road Ranger in Rockford, Ill.The following article, written by Jeremie Myhren appeared May 9, 2019 on Convenience Store Decisions  has been reproduced. Jeremie has been managing IT in the convenience retail industry since 2000. He is the chief information officer for Road Ranger in Rockford, Ill.
Read Jeremie’s original article here.

 

As the October 2020 EMV liability shift at the pump draws near, the cost of not taking action grows clear.

No other industry has as many unattended outdoor payment terminals as we do in the convenience store and petroleum industry in the U.S. There isn’t even a close second.

This becomes increasingly relevant to the data security conversation as the payments technology and security landscape continues to evolve. Outdoor payment terminals are steadily increasing in value as a tool used by the criminal underworld.

The October 2015 inside Europay, Mastercard and Visa (EMV) liability shift in the U.S. moved a material percentage of retail payment card transactions from traditional magnetic stripe swipe to inserted, chip-card read. While attackers moved to exploit chip where they could, through techniques like swipe fallback, the retail shift to chip added cost, complexity and reduced feasibility for the criminal hacking groups and gangs who perpetrate most of the large-scale payment-card breaches.

That’s not to imply that inside EMV solves the payment card data security problem. In most cases, payment terminals are just as susceptible to a costly compromise as before EMV. Typical breach methods like memory scraping point-of-sale (POS) malware remain a threat, and the data captured in such an attack remains valuable, even from a chipped card. Really, the biggest shift in the EMVmove to inside chip is that your outlet becomes less attractive for criminal syndicates to perpetrate the final step of the payment-card data-breach fraud — actually spending the money or using the compromised account to buy goods or services to then sell or trade for cash.

That said, today, few of us have fully-operational EMV-capable payment-card terminals at the pump. Many of us have some sites and lanes with chip-capable hardware, but few retailers and payment networks are conducting an actual chip-card read at the fuel island.

The EMV liability shift at the fuel island currently stands at October 2020 and is unlikely to be extended further. Until the liability shift actually takes effect, so long as we follow current acceptance rules (things like not authorizing over allowed limits), we’re largely protected from stolen account numbers being used for purchases at our outdoor payment terminals.

This conceals the reality that our c-store sites are seeing higher incidences of stolen or breached payment cards being used for fuel purchases. Thieves are finding more obstacles at their traditional outlets, which have fully converted to chip-card acceptance, so the non-EMV-accepting fuel dispensers have increased in value to them. Because the issuing banks behind the stolen cards being used are bearing the cost of most of this fraud, we are often blind to it — even as it rises steadily.

This sets us up for a troublesome late 2020. Those who do not make the necessary investments in chip-accepting hardware at the fuel island, as well as those who have, but whose POS and payment processing partners have not, will find a shock in November 2020 as they bear the full burden of payment-card fraud at the fuel island for the first time.

What’s A Retailer To Do?

  • If you are branded, ask your fuel brand what your options are and what the current state of their technology programs are when it comes to EMV at the pump.
  • Talk to your POS software and hardware providers to determine dispenser EMV options and when they will be ready.
  • Talk to your dispenser partners about your specific dispensers and what your specific options are.
  • Talk to your payment-card processors about your specific technology mix and when they will be ready for your specific setup.
  • Talk to Visa, Mastercard, American Express and Discover. If you do not have an assigned representative from each payment brand, ask your payment-card processor to put you in touch.
  • Ask each payment brand to share the burden of Automated Fuel Dispenser (AFD) fraud at your sites for the past year. Normally, you do not see this data, as you didn’t bear the burden of it, but they have it and are generally able to provide it.
  • Use all of the above to apply pressure where needed to get various stakeholders to get you ready in time. Also use it to build your business case and ROI needed to fund the necessary investments to be prepared.

 

Do you have further questions about EMV capable and compatible equipment for your customer’s forecourt and in-store transactions?  Give us a call at 1.800.451.4021!

 

The John W. Kennedy Company appreciates your business and continued support!

 

JWK USA Logo

No comments

How to avoid getting skimmed when you’re filling your car with gas

  By BlogAdmin June 22, 2017 , , ,

patriot-logo

In our ongoing efforts to educate and inform, our partners at Patriot Capital have asked us to share the following article written by Fredrick Kunkle that appeared in the Washington Post on June 16, 2017. Read the original article here.

 

When you’re filling your car at the gas pump this summer, you could be also be giving a thief access to your bank account or credit card.

Gas stations are a chief target of criminals who use data-grabbing skimmers to siphon data from drivers’ credit and ATM cards, according to law enforcement officials and gas retailers. Almost daily, the secretive and illegal devices are discovered at gas stations across the country, such as here, here and here. Earlier this month, Fairfax County police reported finding 21 skimmers at 15 different locations in the past year.

Skimmers work like legitimate banking card readers, but they are secretly installed in or on the pumps by criminals to steal people’s financial data. Gas stations are particularly vulnerable, but banks and other businesses have also been hit.

“The people who are doing skimming — it’s amazing, some of the things they do,” said Lyle Beckwith, senior vice president for government relations at the National Association of Convenience Stores (NACS).

Gas stations are targeted because of their physical layout and the volume of their business. Thieves find it relatively easy to use gas station islands as cover while they tamper with the machines, Beckwith said. The devices are placed either inside the pumps by thieves who jimmy them open or outside the pumps using overlays on the pump’s card reader. Usually, thieves put one skimmer in a single gas station, but that one device can capture a lot of card data.

[From the archives: Fairfax County police find skimmers at hospitals]

NACS, which represents more than 2,100 retailers, says nearly 80 percent of the fuel in the United States is retailed through them. Although only a small fraction of those fill-ups get skimmed, a small fraction of 29 million daily fuel customers can mean a lot. A single skimmer can collect data from 30 to 100 cards a day, NACS says.

NACS

The National Association of Convenience Stores (NACS) says special sealing tape can help consumers and gas station operators spot pumps that have been tampered with. (Screen grab from NACS video; courtesy of NACS)

NACS

The National Association of Convenience Stores (NACS) says special sealing tape can help consumers and gas station operators spot pumps that have been tampered with. (Screen grab from NACS video; courtesy of NACS)

To counter them, retailers have been sealing the pumps with special tape. If you see that the seal is broken, you should not use the machine and should alert the operator, he said.

Retailers think the problem will diminish once consumers and retailers fully adopt chip technology, according to Rob Underwood, president of the Petroleum Marketers Association of America.

“As of now, there is a wait time for retailers to have access to the new equipment, which costs around $20,000 per pump,” Underwood said in an email. He said consumers and retailers will still remain vulnerable to fraud until credit card companies allow retailers to require consumers to use PINs on transactions.

NACS has produced a video for its retailers that’s also helpful for consumers, which you can view here:

Here are some tips from law enforcement officials and retailers to protect you at the pump:

  • Use cards with PIN numbers

You’re better off using a card with a PIN if you buy gas, according to NACS and PMAA. NACS, citing a 2013 Federal Reserve study, says you’re four times more likely to be ripped off if your transaction is made without a PIN.

“Signature-based transactions are processed on the antiquated Visa and MasterCard systems that do not process in real-time, versus the instant operation of PIN debit. Not using PIN also increases the cost of the transactions, which is passed back to the consumer,” NACS says. It also says that even old dispensers have technology to encrypt PIN numbers, and that gas pumps have been equipped with them since the early 1990s. “PINs provide a higher level of security. That is why banks require them for transactions at ATMs,” it says.

However, it should be noted that Fairfax County police say that if you’re ripped off via a credit card, you have more protection as a consumer than if the thieves do somehow get your PIN and access to your bank account.

“When the money comes out of that bank account, it’s a lot more difficult to get reimbursed,” Fairfax County Police Officer Tawny Wright said.

That said, the retailers — who bear the cost for fraud — still say they think customers are better off using the PIN.

  • Avoid older gas pumps if you can

These pumps are easier to break into and tamper with. Newer pumps have technology to prevent being ripped off.

  • Check to see whether the pump has been tampered with

Thieves install internal devices by opening the pumps and putting them inside. But gas stations have fought back by using serial-numbered security tape that track the reasons why the dispenser door was opened. If the tape is cut, damaged or broken, it should “bleed” to alert people that it’s been tampered with, NACS says.

For external skimmers, which are installed over an existing keypad, look to see if the keypad is raised. You can do this by running your fingernail along the edge, NACS says. The skimmer may also be loose or wiggle when  you touch it.

Police said newer Bluetooth skimmers are particularly tricky to detect because they can be hidden entirely inside the pumps.

  • There’s an app for that

Retailers can use the SkimDefend app, along with special NACS tamper-alert decals, to track attempts to mess with the pumps.

  • What should you do if you suspect a pump has been tampered with? 

Customers should alert the gas station operator, who should shut the pump down immediately and have it inspected by a technician.

NACS also advises that no one, including the technician, should touch or remove the device. Let the police handle it. In large cases, the FBI and Secret Service sometimes get involved, NACS says.

  • Check your banking and credit card statements frequently for suspicious charges 

If you see anything out of order, call your bank or credit company to report it right away.

If you are a petroleum retailer unsure as to whether now is the time to upgrade your equipment with EMV technology, have questions about equipment and/or financing, we invite you to contact us at 1.800.451.4021 and along with our partners at Patriot Capital, we can explore your equipment and financing options to ensure your location(s) have the latest and greatest data security and your customers’ bank accounts and credit cards are safe from such data skimming technology and practices.

We appreciate your continued business and support!