The Fraud Blog with Tracy Kitten

Card Fraud and Pay-at-the-Pump

Skimming at Gas Pumps is a Global Problem

Pay-at-the-pump skimming is a growing, global problem. And despite increasing publicity about identity theft and card fraud, little is being done to fix the pay-at-the-pump problem.

Building on last year's rash of card-skimming attacks at gasoline pumps in Utah and Florida, more attacks have already been reported in 2011, this time in Arizona and Europe.

The European ATM Security Team reports that card skimming attacks at unattended gas pump terminals are up in 2011. 

Tucson, Ariz., Police Sgt. Michael Garcia in early March told a local TV station that pay-at-the-pump skimming had been on the rise in Tucson since January, when police confiscated the city's first gas pump card skimmer.

Banks with more sophisticated fraud-detection solutions, such as Salt Lake City-based Zions ($50 billion in assets), have linked recent incidents of card fraud back to gas stations. But they can't control how -- or if -- station owners address the issue.

Last week, the European ATM Security Team reported that card skimming attacks at unattended gas pump terminals are up in 2011, despite Europe's migration toward EMV. "Although these are often not successful," EAST says, "six countries reported this form of attack, with two reporting increases."

In Europe, EAST notes that most skimming attempts are unsuccessful, because of EMV. That is, the cards can't be compromised in EMV-compliant countries, EAST says. Still, because of the lingering magnetic stripe on EMV cards, if mag-stripe details aren't turned off, skimmers can collect the stripe details from an EMV card and compromise that card in countries such as the U.S., where the mag-stripe is still commonly used.

Despite the evolution of the PCI Data Security Standard, clearly we have inadequate checks and balances for card fraud liability.

Jeremy King, head of European initiatives for the PCI Security Standards Council, says the council recognizes the problem and is addressing it through PCI PIN Transaction Security requirements. In May of 2010, PTS version 3 was released, including lines specific to security at unattended payment terminals such as pay-at-the-pump.

"The council reacted to this by actually creating and releasing what was at the time the Unattended Payment Terminal set of requirements, which looked at how to improve the security of this type of terminal," King says. "As we've moved into version 3 and created the PTS standard, a whole section about unattended terminals is being incorporated into the document."

In short, pay-at-the-pump terminals, King says, are designed to provide fuel. Payment and security were not at the forefront of thinking during manufacturing. So, the council is offering recommendations. "If you do not want to change your whole fuel pump, then there are now going to be solutions that will enable you to make the payment aspect more secure and up to the standard of PCI PTS," King says.

That's great. But what if station owners don't upgrade their systems? A liability shift has to come into play, somewhere.

These skimming incidents will continue because gasoline pumps are easy targets. Continued use of universal keys and codes to access pump enclosures make them ideal, since fraudsters can hide skimming devices inside the enclosures, where they are undetectable, at least on the surface.

It's no wonder more than half of U.S. consumers cite card fraud as their greatest concern, according to a recent survey from ACI Worldwide. The survey includes responses from 4,200 consumers across 14 countries. In the U.S., 58 percent of consumers surveyed say they think card fraud is increasing.

Consumer perception is not far off from reality.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.