ALEXANDRIA, Va. - A number of news reports over the past month have focused on the topic of credit card skimming. NACS payments consultant Gray Taylor separates fact from fiction, and provide tips for what retailers and consumers can do to minimize the likelihood they are a target.
Skimming is any attempt to acquire the data from a credit or debit card transaction. At its simplest, it is stealing credit card receipts. Today, it often involves placing a small electronic device over a terminal that the criminal later takes back to download card data. In all cases, the thieves need to open your dispenser to place the skimming device(s).
The incidence of skimming at the fuel island is over-exaggerated, as industry data points to retail environments where the consumer gives up possession of the card as the biggest source of skimming. In fact, according to the 2009 Verizon Business Data Breach Investigations Report, the real risk to consumers isnï¿½ï¿½t retail at all; 93 percent of compromised accounts occurred at breaches within financial institutions. The simple fact is that criminals go "where the money is," and complicated, site-based hacks of retailers is a high-risk, low-yield proposition.
The recommendation that consumers not use their PINs when paying is erroneous at best, and could increase consumer risk of compromise, overdrafts and increases retail prices.
Industry data shows that card transactions without PINs have a six times greater chance of being compromised - which is why PIN usage is the de facto standard for world payments. Consumers who choose not to use a PIN are also at risk for overdraft fees that occur when their bank does not remove debit holds from their account in a timely fashion. Signature-based transactions are processed on the antiquated Visa and MasterCard systems that do not process in real-time, versus the instant operation of PIN debit. Not using PIN also increases the cost of the transactions, which is passed back to the consumer. The Federal Reserve Bank of Kansas City documented that a $50 transaction processed with a PIN cost the retailer 49 cents, while the same transaction processed without a PIN cost the retailer 68 cents - a cost difference of 19 cents.
The assertion that "a lot of gas pumps use older technologies, so PIN codes are not encrypted" is totally unsupported by the facts. With the introduction of master session encryption technology in the early 1990s, fuel dispensers have been required by Visa and electronic funds transfer networks to encrypt PINS or not accept PIN debit. In fact, every one of the estimated 6 million fuel dispenser terminals installed today accepting PIN debit encrypts PIN numbers - as has been the case for the past 15 years. The convenience and petroleum retail segment has invested more than $5 billion in payment systems and technology to provide a safe, fast and accurate card payment experience for consumers.
Unless you are a trained dispenser technician, you probably canï¿½ï¿½t tell. We recommend serial-numbered security strips and periodic inspections of them. The idea is to know if the dispenser has been accessed - if a strip is broken, then shut down the dispenser and call in a tech to inspect the pump.
Here are three simple steps:
- Use serialized security strips over all access doors you wish to protect.
- Re-key the locks on dispenser doors that have access to electronic payment data.
- Consider investing in anti-breach kits for dispensers. Manufacturers now offer anti-breach kits, which generally notify and shut down dispensers that are accessed without proper security code entry. This can be expensive, but is the ultimate line of defense.
- Stop the bleeding. Take the dispenser offline to discontinue any more transactions.
- Have a tech identify the device, but do not remove or touch it. If there is no device, get it in writing from the tech and restart the dispenser.
- Call the police to inspect. Remember, this is a crime scene and the perpetrators are probably doing the same thing to other retailers in the general area. Also, the Secret Service and FBI are frequently involved in large cases; let the police handle this. After the investigation, ask for a dated police report.
- You donï¿½ï¿½t know if any of the cards used at the dispenser have been compromised, so donï¿½ï¿½t assume that they have been.
- Use payment terminals and ATMs at established retail or banking locations, where access to the device is controlled by on-site personnel.
- Use a PIN whenever you can; it reduces your risk of compromise six-fold and leads to lower retail prices.
- Place reasonable limits on the daily or weekly withdrawals from ATMs.
Even the latest chip and PIN technology currently being installed outside of the United States has proven to be vulnerable to attack. The latest reports of skimming and the recent news of hundreds of company systems being hacked is irrefutable evidence that the United States needs to have a national conversation about payment, identity and access security, and how this country can lead the world to the next generation of data security, instead of following it.