fraud
The use of payment cards for fuel purchases in the US has been
encouraged by the advent of pumps equipped with card readers. The
new-era pumps have also attracted criminals bent on card fraud, a
development VeriFone plans to counter with its Secure PumpPay
solution. Charles Davis reports.
Go deeper with GlobalData
Card based payments for fuel are growing rapidly in popularity at
US fuel retail outlets, a trend spurred by the introduction of
pumps incorporating card readers. However, with the appearance of
pay-at-the-pump, security found itself lagging opportunity, as
fraudsters quickly figured out how to exploit the new-era fuel
pumps.
To counter the criminal onslaught, payments software and hardware
developer VeriFone has launched its Secure PumpPay solution for
upgrading fuel pump card payments to meet the Payment Card Industry
(PCI) Security Standards Council’s Data Security Standard. The
council, which was founded by five major card associations,
requires merchants that process card data to adopt tight security
controls and processes.
Secure PumpPay is a universal solution that works with pumps
manufactured by virtually all US and most European suppliers and
has already been installed at initial sites in Europe, the Middle
East, Asia and the US.
Masking data
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataSecure PumpPay utilises the PCI-approved OP4100 outdoor payment
hardware. This will support VeriFone’s patent-pending technology to
cryptographically mask account numbers and magnetic stripe data
throughout the retailer’s system, easing compliance and rendering
the card data useless to criminals if a retailer’s network is
breached.
“The PCI standards ensure that transactions can’t be skimmed at the
point of sale, and by complying with the triple data encryption
standard, we’ve really gotten out ahead of the game here,” Joey
Ledford, a VeriFone spokesperson, told EPI. “This will meet
standards that are going to get a lot tougher in 2010, but more
importantly, it begins to address the issue of pump security right
now. If the crooks crack into these systems right now, they can
install a little box [data skimmer] the size of a pack of
cigarettes and steal every credit card that comes through the
pump.”
If that seems a bit outlandish, note that in August, Arizona
authorities found two card data-skimming devices at Phoenix-area
fuel pumps, where the US Secret Service continues to look for card
fraud tied to the incident. Debit cards are particularly vulnerable
to skimmers, who can lift the data and then use counterfeit cards
at ATMs to extract cash.
The PCI has mandated that from January 2009 all new self-service
pumps must have PCI-approved PIN-entry devices. Further, by July
2010, all card transactions at pumps must be protected with
advanced triple data encryption technology.
Fraudsters target fuel dispensers
Fraud at fuel pumps is a very real problem in the US, said Ledford.
He added that there are about 700,000 unsecured fuel dispensers in
the US and Canada, and according to a recent security alert by
Visa, organised crime rings are increasingly targeting merchants to
obtain magnetic stripe data and PIN data, often focusing on
automated fuel dispensers.
Debit payments at the fuel dispenser are growing at a rate of 26
percent annually, increasing the likelihood of a data breach
dramatically each year. The cost to retrofit an existing dual-sided
dispenser is less than 25 percent of the cost of a new dispenser –
a safe investment, Ledford said, when the average security data
breach costs a company $5 million.
Given that convenience stores sold 158 billion gallons of fuel in
the US in 2006 – 82 percent of all fuel sold nationwide – it was a
logical place to start. Using VeriFone’s OP4100 hardware, the
Secure PumpPay platform features an ATM-style keypad for speed of
entry, screen addressable keys for flexible customer input, and a
manual insert hybrid card reader with triple-track magnetic-stripe,
EMV chip card and contactless payment capabilities. In addition,
the OP4100 hardware incorporates a high-speed, high-resolution
printer that can highlight graphics and bar-coded receipts for
in-store promotions.
“Secure PumpPay is easy to integrate at a mechanical, electrical
and software level – there are no changes to inside hardware or
software required,” Ledford said. “We worked to make sure that this
was easy to do and quickly adaptable.”
He continued that Secure PumpPay addresses one of the last major
gaps in payment security. “It’s going to head off a lot of fraud,
and will also bring convenience stores within compliance with rules
that are still a year or two away,” Ledford said.
Mixed blessing
For the convenience industry, pay-at-the-pump has always been a bit
of a mixed blessing, payments-wise, because to everyone’s
disbelief, convenience stores don’t make much money from fuel
sales. The typical profit margin for retailers is between $0.06 and
$0.12 per US gallon (1.89 litres) of petrol, and the transaction
fees for using credit and debit cards takes another $0.02 to $0.03
off that. The result is that convenience stores might be breaking
even, at best, on fuel sales.
The key has been getting the fuel customer to come into the
convenience store to shop. Nationwide, by far the largest portion
of a convenience store’s profit will come from inside sales. Yet by
offering pay-at-the-pump features, retailers in a way discourage
customers from coming inside the convenience store, where they will
buy items more profitable for the retailer. Contactless payments
could make that situation even worse as drivers know that payment
will take only a few seconds.
Increased use of credit and debit cards for fuel purchases is also
being driven by rocketing fuel prices, according to the National
Association of Convenience Stores (NACS). In a survey conducted by
the national association in early 2007, 47 percent of respondents
said they were “much more likely to use a debit or credit card” for
fuel purchases.
Meanwhile, the convenience stores continue to look for any way to
cut interchange costs, and card acquirers and processors are
responding by espousing to merchants the benefits of allowing
customers to pay however they please and enhancing their offerings.
For example, payment processor First Data offers a programme to
NACS members that charges card processing fees about 5 percent to
10 percent lower than the norm, thanks to efficiencies of
aggregating NACS members’ transactions. Another payments processor,
Chase Paymentech, offers a similar programme to members of the
Petroleum Marketers Association of America.
