Last weekend I went spring skiing, well spring snowboarding — but you know what I mean. It was sunny, with temperatures in the 50s — an epic day of carving mashed potatoes to close my snowboarding season.
On the way home, I stopped for gas at a non-branded store I had been to dozens of times over the years. I’m getting ready to pump my gas and notice signage indicating that I need to keep my card inserted because they had upgraded to EMV. Being in the industry, I silently applauded this single station owner for investing in technology to keep my card safe and doing it before the deadline. So, I insert my card, the system processes the pre-payment authorization, remove my card, pump my gas like normal and continue the long drive home.
The next morning, I get my coffee, turn on the TV and grab my phone. What do I see? Fraud alerts! Someone had tried to use my card to pay for online gambling, but my card provider’s fraud solution caught it and blocked it. At this point, I had no idea how my card information had been stolen. But as I notified my provider that it wasn’t me gambling online at 3 AM, I realized the theft could’ve only occurred at one of three places. The card provider’s fraud team said they would start an investigation and overnight me a new card.
Playing detective
Having a bunch of smart payments and fraud industry colleagues, I figured I would pick their brains to see what they thought. Dan Coates, ACI’s solution evangelist for omni-commerce, and I had worked on a campaign to help fuel and convenience station merchants be fully aware of the EMV deadline and other things they should consider when they “have the hood open.” So, he seemed the best person to ask. I explained that of the three possible breach points, it could not have been the fuel merchant as they had implemented EMV and I had closely inspected the card reader without seeing evidence of a skimmer. This is where it got really interesting.
Dan explained that was not necessarily true.
A lesson in fuel fraud
While EMV protects the merchant from accepting cards duplicated by fraudsters, it does still have a magnetic strip and the payments data could have still been transmitted unencrypted. Dan continued to explain that fraudsters have gained access to better technology. Skimmers don’t have to be bolted onto the outside, they are now using paper thin strips hidden inside the card slot that can capture the card number from the magnetic strip. There are also shimmers that target the EMV chip. These shimmers sit between the chip on the card and the chip reader in the ATM or point-of-sale device, and record the data on the chip as it is read. While they cannot replicate the chip, it does contain additional security components not found on the mag stripe.
Fraudsters could also gain access to the inside of the terminal and put a listening device on the wire. They can even use Bluetooth to retrieve information from skimming devices — meaning the only risk of exposure a fraudster has is when they install the device. Dan also went on to clarify that while the sensitive cardholder data is secure on the card, it needs to be transmitted to an acquirer for approval. If the pump reader does not utilize point-to-point encryption (P2PE), card number and other sensitive information could still be intercepted. While this might be harder to set up, a single line tap could capture all the transactions at every pump without being detected!
So, that certainly highlighted several issues for me, and more than reinforces why our fraud team is always banging the drum about having a multi-layered fraud solution. While I might not ever be 100% sure whether my card was compromised at the pump, it’s certainly evident that despite the importance and benefits of EMV, no merchant can afford to rely on this one measure alone. There are plenty more opportunities for fraudsters to deftly steal card details and funds.
That’s why fraud prevention is about covering as many points of exposure, with as many sophisticated tools as possible, from EMV and P2PE, to identity verification techniques and real-time fraud screening. These solutions are just as relevant (or more so) to fuel merchants as ever.
Check out ACI’s series of short webisodes with Dan Coates, senior solution consultant, on dispelling payment myths to learn more about EMV. Watch the first episode, 5 Myths About EMV and sign up to see the series that covers P2PE, tokenization, fraud and more.