EMV MIGRATION DELAY DOESN’T LET GAS STATIONS COMPLETELY OFF THE HOOK
Last week, Visa, MasterCard and American Expressed delayed the EMV migration deadline for gas stations from October 2017 to October 2020 — but that doesn’t mean that gas stations can now relax their EMV upgrade plans.
According to Gray Taylor, executive director at Alexandria, Vir.-based Conexxus, an industry association for the petroleum industry, gas stations need to continue to stay on top of their upgrade plans.
Gas stations that have the older magnetic-stripe card readers will become liable for fraud losses even before the deadline, if their fraud grows beyond a certain level.
Taylor estimates that the gas stations account for about $400 million of counterfeit fraud each year, and as other retailers upgrade their security, fraudsters will set their sights on gas pumps.
For example, criminals who would previously take their stolen credit cards to Best Buy to get flat-screen TVs that they would resell on eBay, would now get a 500-gallon bladder tank, fill it up with gas, then resell it to, say, local businesses.
If the fraud rate goes up four-fold, then the gas station operator becomes liable for all the fraud losses at that location, even before the liability shift deadline.
To avoid that problem, Taylor suggests that gas stations in risky areas take other security precautions if they can’t upgrade, such as adding better video cameras, asking customers to enter their zip codes, or paying extra for real-time risk scoring.
Local police can help too, he added.
“The cops are very much interested in catching guys with 500-gallon bladder tanks,” he said. “These are not highway-approved tanks. If someone gets into an accident with that in their vehicle, it’s like a bomb.”
Switching over gas pumps is much more difficult and more expensive than switching over check out registers, he said. There are about 800,000 pumps needing to be upgraded, the specification only became finalized in late 2015, and there aren’t nearly enough people to install the new systems.
In addition, each combination of system components had to be certified separately, a total of about 3,000 different certifications, he said.
It didn’t help that other retailers were supposed to have switched over already, freeing up resources for gas stations — but many haven’t even begun the process.
Then there’s the usability issue. At a checkout counter, there’s a cashier to answer questions if the customer can’t figure out where to insert the card or how long to wait before taking it out. But gas pumps have to be a lot more user-friendly.
“It became apparent about 18 months ago that there was just no way we were going to make it,” said Taylor.
In addition to extending the deadline, the credit card brands also worked with the industry to reduce the total number of required certifications from 3,000 to around 300.
“Visa and MasterCard have acted responsibly with this move, based on the quagmire of complexity in the retail fuel market,” said Allen Friedman, vice president of payment solutions at Neuilly-sur-Seine, France-based Ingenico, the world’s largest maker of card-payment terminals.
He recommended that convenience stores and gas stations that have begun planning their EMV implementation should continue their efforts, and those haven’t started yet should do so as soon as possible.
“While bumpy, the transition to EMV generally makes card payments more secure,” said Ben Woolsey, president and general manager at Austin-based CreditCardForum. “It makes it more difficult for thieves to use hacked transaction data — due to how the EMV chip scrambles data — makes traditional card-skimmers useless — because they can’t read chips — and makes it more difficult to create usable counterfeit cards.”
Postponing the conversion is a setback for security, said Chris Pinion, manager of fraud solutions at Alpharetta, GA-based LexisNexis Risk Solutions, who said that he was disappointed — but not surprised — by the news of the delay.
“Conversion to EMV also frequently includes other security enhancements, including encryption and tokenization, which will also be delayed,” he said. “From a fraud perspective, pumps will remain a leading source of fraud and a location of choice for card testing.”
The delay is nearly as long as the original timeline, he added. “Which is concerning. From a security perspective, mag-stripes will continue to be a weak link, and the delay will allow hackers continued access to unsecured data.”
Since gas station fuel pumps are publicly accessible, they are particularly vulnerable to credit card skimming devices, said Jerry Irvine, CIO at Chicago-based Prescient Solutions.
This gives thieves an opportunity to collect credit cards numbers that they can use elsewhere.
“The industry may want to consider additional fines and penalties for those organizations failing to transition to the EMV technology,” he said. “Until this occurs the public will continue to be at risk.”