Battling Pay-at-pump Threats with intelligent fraud detection

By : Dena Hamilton

As the US shifts over to EMV, there are growing concerns about how the

migration gap will affect fraud in the self-service channel. While the

liability shift for point-of-sale devices in the US was October 2015, it’s

going to be October 2017 before all ATMs and gas station pay-at-pump

machines are similarly covered. Experts are rightly concerned about an

uptick in fraud at unattended self-service channels.


We can tackle this in a couple of ways depending on what the problem is.

First, we look to reduce fraudulent transactions by increasing our security

layers, such as requiring customers to enter ZIP codes for payment

authorization when paying at the pump.


The addition of a ZIP code is a bit like asking for a PIN but without all the

encryption and standards required. It’s a relatively simple approach, but

one that seems to work. The other major threat is skimming attacks on these unattended machines.


Better physical security is a first step - criminals need access to inside the pump door to attach the skimming

device. In 2011, residents of Camarillo, California, formed a group of 30 volunteers to monitor pay-at-the pump

terminals throughout the town. This was hardly a great advert for the physical security that was in place at the

time. Security expert Brian Krebs notes that security tape is a favorite way of 'protecting' card readers, but again

something that is not exactly 100 percent secure. "Security tape wrapped around a card reader at a gas pump isn’t

going to stop most pump skimming attacks, which start when someone with a master key for the pump opens it

up and fiddles with the guts of the machine,” he writes. “The crooks figured out a long time ago that only a handful

of master keys are needed to open the majority of the gas pumps in use today. So, rather than retrofit each one of

these pumps with a more custom and secure locking mechanism, most stations just put security tape on the

pump door.”


Fraud detection
Clearly security is still not perfect, so as issuers we need to be tuning fraud detection systems to cope. With

skimming threats, that means looking for the point-of-compromise.


Al Pascual, director of fraud and security at consultancy Javelin Strategy & Research, told BankInfoSecurity that

banks are increasingly focused on finding common points of compromise linked to pay-at-the-pump skimming

attacks. Pay-at-pump will be one of the last “bastions for mag-stripe card data until at least 2017”, he explained.

Intelligent fraud detection is where issuers can really differentiate themselves. Issuing banks need to be attuned

to this threat and ensure their fraud systems can spot a common point-of-compromise. Likewise, fraud detection

systems can be geared up to spot suspect pay-at-pump transactions. For example, we could simply place a risk-

based blanket over all pay-at-pump card payments, with these transactions automatically raising a flag that we

may need to look more closely at this transaction as per standard fraud prevention models. For example,

comparing previous transactions, location of the transaction and, naturally, any common point-of-compromise.

However you approach it, the pay-at-pump channel needs to be part of your fraud detection thinking over the

next couple of years.

Dena Hamilton

GM/Director, Enterprise Fraud & Security Software Solutions

Other articles by this author

Dena specializes in fraud, risk, compliance and security with over 35 years in the financial services space. Her focus is in the development and deployment of enterprise financial crime solutions optimized in prevention, detection and back office efficiency.