Pay-At-The-Pump Skimming - a Growing Threat
No question: Card fraud is growing. At the root of the problem is skimming. This is a global challenge that impacts all types of card-reading machines, including ATMs and POS devices. The Secret Service estimates that in 2008 some $8.5 billion was lost as a result of skimming and phishing attacks.
When it comes to the ATM, the global financial industry has invested heavily in solutions to thwart skimming. Visa and MasterCard have mandated several security precautions, such as encrypting PIN pads and Triple DES compliance, to ensure ATM deployers adequately protect cardholder data.
A rash of attacks in Utah resulted in the compromise of 180 pay-at-the-pump terminals with skimming devices and Bluetooth technology to transmit card data.
But what about unattended self-service devices, which have proven to be much more vulnerable? Case in point: The pay-at-the-pump terminal.
Nicole Sturgill, research director at financial consultancy TowerGroup, says pay-at-the-pump terminals are targets because they can easily be entered with universal gas keys. Once the terminals are opened, skimmers can be placed inside, away from view. In comparison, ATMs are required to have unique keys and codes for service and maintenance checks.
Let's be fair. Unless a skimming device is found, or law enforcement notifies a business that its terminals have been compromised, a typical merchant would never see the fraud. The cards are skimmed, duplicates are created, and the fake cards are used at ATMs, online and/or at retailers globally. But does that free the merchant from bearing some of the responsibility?
For Chuck Groat, the vice president of bankcard risk management at Zions Bank in Utah, the answer is simple - "No."
Zions, with just over $50 billion in assets, is rather sensitive to the pay-at-the-pump skimming wave. Since January, Zions has seen a significant spike in its number of compromised cards. In fact, production of counterfeit cards created from skimmed Zions' customers has increased 200 percent over the last 12 months, and Groat says Zions has pinpointed pay-at-pump terminals as the weak spot.
"How difficult would it be to place tamper-proof seals around the access door and check daily?" Groat asks.
A rash of attacks in Utah, which earlier this year resulted in the compromise of 180 pay-at-the-pump terminals with skimming devices and Bluetooth technology to transmit card data, put Zions on alert. With software analytics, Zions narrowed the points of compromise to gas stations where customers had used their cards to pay at the pump. Most of the counterfeit cards had been created from information collected along the Interstate 15 corridor, which runs between Salt Lake City and Las Vegas.
"Someone needs to make them more aware of the problems and responsible for losses," Groat says. "They are aware of it, but they are not doing anything to prevent it."
The problem: A lack of significant security measures in place to protect pay-at-the-pump terminals. Groat says universal keys - bad enough - are just part of the problem. Some pumps, he says, lack key protection all together.
"Something needs to be done and driven from the association level," Groat says.
I agree. But which associations? Card associations? Industry associations? Which groups will stand behind a stronger security push?
It seems Visa and MasterCard would take a stand here, similar to the stand they've taken on the ATM front. But who's going to help the merchants realize they have a problem - much less do something about it?
I'm eager to hear your take. How has your institution been impacted by pay-at-the-pump and other skimming incidents - and what have you done to help reduce them?