Digital and online payments are not going anywhere soon. With online purchases of food and household items increasing by up to 30% (during the lockdown months), and 60% of first time online shoppers reporting they will continue to buy online after lockdown, the direction of travel and prospect of a cashless future are clear. Efforts to secure those payments continue, however, it is clear that closed loop cards are at risk of being left behind,. As a result, fuel fraud remains a major problem for card issuers and the retail fuel market.
Fuel card security has long been an industry pain point. A high number of fuel card issuers still use magnetic striped cards as either their primary or fallback security method. The high re-sell value of fuel, coupled with the ease of skimming or copying magnetic stripes, means fuel remains a very attractive target for fraudsters, who can stand to make over $10,000 from just a few hours work.
Whilst it is widely agreed that EMV and chip cards are the future of fuel card security, there is still a lot of resistance towards the technology, particularly from small retailers. One of the main reasons for that is the cost of updating fuel pump payment terminals to accept these newer, more secure cards. With the cost of converting one fuel pump rising to $25,000, this can be a costly exercise – especially as a lot of issuers have yet to make the shift to issuing their chip cards either. In the meantime, the industry is left in limbo. With cases, such as this one in Tampa, still happening on a regular basis.
Is EMV coming too late, has the industry already moved on?
The deadline for full EMV acceptance in the United States has already moved multiple times. A variety of reasons have been put forward for the ongoing delays, such as supply limitations, cost issues, and, of course, the hardship caused by COVID-19. The latest deadline passed over 3 months ago, but there are still many sites that have still not switched over to EMV. It is worth clarifying that retailers still using magnetic stripe transactions will be able to accept and process payments, but are now liable for any fraudulent losses. This has been seen as an acceptable sacrifice for some site owners, because of the seemingly lower fraud rates on fuel cards and the cost of upgrading individual pumps.
It is important to note that while chip card acceptance is not a silver bullet for bringing down fraud levels, it is virtually impossible to copy data from a chip. As in other payment industries, it is also much harder to steal data from a chipped card in a shop or restaurant, as there are more people and better security present. In the retail fuel space, many of those barriers do not exist, with unmanned sites or manned, but ‘pay at pump’ sites, open 24 hours a day. These sites can be poorly lit, with minimal security features and few people around, meaning it is very easy to install fraudulent devices.
One such fraudulent device that is becoming popular on the dark web and in fraud circles is the “shimming” device. Shimming devices work in much the same way as traditional card skimmers, where a device is inserted into a card reader to copy its data. A skimming device usually works by taking data from the magnetic stripe as it is inserted into the card reader, copying the data, and either storing it within the device or transmitting the data via a Bluetooth relay to be stored locally. Storage devices can be hidden in a bathroom or even in a van parked nearby. Evidence of shimming has been found in nearby streetlights and even buried in the ground.
One of the major problems with skimming devices is that they can only copy from magnetic stripe to magnetic stripe, so they cannot be used with EMV cards, and they are often quite bulky, as they must copy the entire card. In contrast, shimming devices copy the data from the chip itself. This means that the device (or shim) can be inserted into a card reader and is much less bulky. Devices can be as thin as a piece of paper, and about the same size as a postage stamp, with a storage chip built in to store any stolen data. This data can then be migrated in two ways. At the high end, it can be replicated with assumptions into another chip. But this requires the fraudster to have a chip card issuing machine, which can be expensive and unreliable. The other, and more common, way to commit this type of fraud is to copy the minimum stolen data onto a magnetic stripe to use wherever the fall-back, old security measures are in place. As previously mentioned, this can be quite common.
In locations where the magnetic strip fall-back is still in place, fraudsters have found a way to force a consumer to use the fall-back by installing a traditional skimming device with a physical chip blocker. This device blocks chip acceptance with a conveniently placed component, which means the customer has to use the magnetic stripe function linked to the previously installed skimming device. An update on a traditional fraud type, which means there are still holes in the security surrounding EMV and chip card payments.
So, are we too late for chip card acceptance? Well, many card issuers are already moving away from chip and EMV acceptance and moving to contactless payments. The rise of contactless payments has been accelerated by lockdown and the increase of payment limits in the UK (up to £45 in 2020 in a single payment), and according to an announcement in March 2021 the limit will soon increase to £100.
As a result, contactless is becoming a much more widely accepted and popular form of payment. Any fuel retailers who are in the process of upgrading their fuel pumps for EMV acceptance must be looking at contactless and wondering what it will cost them to upgrade to contactless too. The fraud parameters around these payments are also different, and the capability to distinguish contactless from EMV/Chip and even magnetic stripe is becoming more and more important – and not just the data, but appropriate levels of fraud management and detection need to be in place. This is just one example, there is now a seemingly endless world of payment types – with some already in place for certain markets and some coming very soon. Not only does this cause issues for fuel retailers with the hardware onsite, but also for those that have not prepared from an issuing fraud management perspective
The question now is whether the retail fraud industry can catch up quick enough.