An End to Pay-At-The-Pump Skimming?New PCI Standard Could Be The Key To Security
I spent yesterday catching up on some of my interviews from the last 30 days. Yes, from time to time, I do this, just to keep my stories straight. One interview in particular reignited my interest -- a discussion with Jeremy King, who heads up the Payment Card Industry Security Standards Council in Europe. The topic: pay-at-the-pump skimming.
I caught up with King in September, during the PCI North American Community Meeting in Orlando, Fla. Our discussion revolved around emerging technology -- end-to-end encryption, tokenization and the EMV chip standard. But it was the discussion about EMV and steps the council is taking to address skimming at unattended terminals, such as pay-at-the-pump, that grabbed my attention.
Until some of the skimming losses are placed on the shoulders of non-compliant PCI PTS merchants, I don't know how much incentive they'll have to make investments in new devices or upgrades.
The summer's significant rise in skimming attacks at fuel pumps in the United States' Southeast and West was disturbing, not just for financial institutions, but also for consumers. Back in July, I opined that the rise in pay-at-the-pump skimming could be blamed on "a lack of significant security measures in place to protect pay-at-the-pump terminals."
Well, as it turns out, security measures may be lacking in the U.S., but not in other parts of the world. And the PCI Council is using its global muscle to help spread the word about anti-skimming best practices at, yes, pay-at-the-pump.
In May, the PCI Council released version 3 of its PIN Transaction Security requirements -- requirements that address security at unattended payment terminals such as pay-at-the-pump. In short, King says the United States' continued reliance on the mag-stripe encouraged the council to address skimming at devices that fall outside the purview of ATMs and points of sale. Why blame the continued reliance on the mag-stripe? Because in EMV-compliant countries, such as the United Kingdom, pay-at-the-pump skimming has evaporated and become, by and large, a non-issue.
In Europe, the rollout and maturity of EMV has enabled smart-card, chip payments at the pump -- a significantly more secure and unskimmable option, save for the lingering mag-stripe on most of those cards. But the read of the mag-stripe can be turned off; then, even if a skimmer has been placed on the pump, it won't get anything. Only the chip is enabled for the transaction. Fraudsters don't want to waste time jumping hoops like that, or taking time to figure out which fuel pumps they can skim. Thus, incidents of skimming at the pump have become lesser concerns.
And in Canada, which is nearing the completion of its EMV migration, Interac, the country's payments authority, has introduced specific requirements for securing transactions at pay-at-the-pump.
In the U.S., there is no Interac or UK Payments Administration Ltd., formerly the Association for Payment Clearing Services, to oversee and implement security measures for card transactions. The closest we have in the U.S. is the PCI Council, so PCI guidance and requirements are the next best things. With that in mind, King says the council saw the need for guidance in the U.S. "The council reacted to this by actually creating and releasing what was at the time the Unattended Payment Terminal set of requirements, which looked at how to improve the security of this type of terminal," he says. "As we've moved into version 3 and created the PTS standard , a whole section about unattended terminals is being incorporated into the document."
In short, pay-at-the-pump terminals, King says, are designed to provide fuel; payment and security were not at the forefront of thinking during manufacturing. So, for petrol stations that want to improve their security, the council is offering recommendations. "If you do not want to change your whole fuel pump, then there are now going to be solutions that will enable you to make the payment aspect more secure and up to the standard of PCI PTS."
The cost of replacing fuel pumps is significant, so one of the options introduced in the PTS version 3 calls for a PIN pad replacement of sorts. Original equipment manufacturers of pay-at-the-pump terminals can provide these to merchants and petrol stations as upgrade options. "This is basically a payment unit that is enclosed in a secure box, which is designed to be retrofitted into existing fuel pumps," King says. "There are now going to be solutions that will enable you to make the payment aspect more secure and up to the standard of PCI PTS."
Now, as long as we can encourage the merchants to make these investments, we might see an end or at least a noticeable dip in pay-at-the-pump skimming. But until some of the skimming losses are placed on the shoulders of non-compliant PCI PTS merchants, I don't know how much incentive merchants will have to make investments in new devices or upgrades. I could be wrong. After all, for the retailer, it should be more about customer experience, right? No retailer wants to get a bad rep for compromising customer cards.