By : Dena Hamilton
As the US shifts over to EMV, there are growing concerns about how the
migration gap will affect fraud in the self-service channel. While the
liability shift for point-of-sale devices in the US was October 2015, it’s
going to be October 2017 before all ATMs and gas station pay-at-pump
machines are similarly covered. Experts are rightly concerned about an
uptick in fraud at unattended self-service channels.
We can tackle this in a couple of ways depending on what the problem is.
First, we look to reduce fraudulent transactions by increasing our security
layers, such as requiring customers to enter ZIP codes for payment
authorization when paying at the pump.
The addition of a ZIP code is a bit like asking for a PIN but without all the
encryption and standards required. It’s a relatively simple approach, but
one that seems to work. The other major threat is skimming attacks on these unattended machines.
Better physical security is a first step - criminals need access to inside the pump door to attach the skimming
device. In 2011, residents of Camarillo, California, formed a group of 30 volunteers to monitor pay-at-the pump
terminals throughout the town. This was hardly a great advert for the physical security that was in place at the
time. Security expert Brian Krebs notes that security tape is a favorite way of 'protecting' card readers, but again
something that is not exactly 100 percent secure. "Security tape wrapped around a card reader at a gas pump isn’t
going to stop most pump skimming attacks, which start when someone with a master key for the pump opens it
up and fiddles with the guts of the machine,” he writes. “The crooks figured out a long time ago that only a handful
of master keys are needed to open the majority of the gas pumps in use today. So, rather than retrofit each one of
these pumps with a more custom and secure locking mechanism, most stations just put security tape on the
Clearly security is still not perfect, so as issuers we need to be tuning fraud detection systems to cope. With
skimming threats, that means looking for the point-of-compromise.
Al Pascual, director of fraud and security at consultancy Javelin Strategy & Research, told BankInfoSecurity that
banks are increasingly focused on finding common points of compromise linked to pay-at-the-pump skimming
attacks. Pay-at-pump will be one of the last “bastions for mag-stripe card data until at least 2017”, he explained.
Intelligent fraud detection is where issuers can really differentiate themselves. Issuing banks need to be attuned
to this threat and ensure their fraud systems can spot a common point-of-compromise. Likewise, fraud detection
systems can be geared up to spot suspect pay-at-pump transactions. For example, we could simply place a risk-
based blanket over all pay-at-pump card payments, with these transactions automatically raising a flag that we
may need to look more closely at this transaction as per standard fraud prevention models. For example,
comparing previous transactions, location of the transaction and, naturally, any common point-of-compromise.
However you approach it, the pay-at-pump channel needs to be part of your fraud detection thinking over the
next couple of years.