DETROIT – Approximately 39 million Americans fill-up every day and fuel dispensers have become one of many targets for thieves looking to steal credit and debit card information by "skimming," an aggressive tactic used to illegally obtain consumer card data for fraudulent purposes.
Skimming occurs when a third-party card-reading device is installed either outside or inside a fuel dispenser, which allows a thief to capture a customer’s credit and debit card information to create counterfeit cards.
Skimming is one type of cardholder data theft and are different than data breaches, which is the physical theft of documents or equipment containing cardholder account data (cardholder receipts, files, PCs, POS terminals), or un-authorized access or deliberate attacks on a system or network environment where cardholder data is processed, stored or transmitted.
How can you check fuel dispensers for skimming devices?
There are two types of skimmers: internal and external.
Internal devices are installed by opening the dispenser door and inserting a skimmer. Serial-numbered security tape, and serial numbers tracked with reason codes for why a new tape was used is one method that retailers use to protect dispensers against skimming. When the dispenser has been accessed and the security tape is broken, it should “bleed” once it has been cut or tampered with. If this occurs, immediately shut down the dispenser and call in a technician to inspect the pump.
For internal skimmers, also look to see if the dispenser door appears to have been forced open. In some cases, the door does not align properly or has unusual scraping or wear around the edges.
External skimmers are installed over an existing keypad. There are some tell-tale signs that an external skimmer has been installed:
- Check to see if the keypad is raised by running your fingernail along the edge. A skimmer is also likely to be loosely installed and will wiggle.
- Also look at the weathering of the keypad. Most fuel dispensers get weathered because of the elements and a new keypad on a weathered dispenser should be a warning sign.
Should customers use signature debit instead of PIN to minimize the risk?
A 2013 Federal Reserve study revealed that not using PIN carries 400% more fraud, which is why PIN use is the de facto standard for world payments. Consumers who choose not to use a PIN are also at risk for overdraft fees that occur when their bank does not remove debit holds from their account in a timely fashion. Signature-based transactions are processed on the antiquated Visa and MasterCard systems that do not process in real-time, versus the instant operation of PIN debit. Not using PIN also increases the cost of the transactions, which is passed back to the consumer.
The assertion that dispensers use older technologies that don’t encrypt PIN codes is false. With the introduction of master session encryption technology in the early 1990s, fuel dispensers have been required by Visa and electronic funds transfer networks to encrypt PINs or not accept PIN debit.
PINs provide a higher level of security. That is why banks require them for transactions at ATMs. Many stations have also upgraded to full travel keyed, triple encrypted PIN pads, which is state-of-the-art security.