Skimming and Payments Security | NACS Online – Solutions – Store Security & Signage
Sign In Help

The Association for Convenience & Fuel Retailing

Skip Navigation LinksNACS Online / Solutions / Store Security & Signage / Skimming and Payments Security

Skimming and Payments Security

​Approximately 39 million Americans fill-up every day and fuel dispensers have become one of many targets for thieves looking to steal credit and debit card information by "skimming," an aggressive tactic used to illegally obtain consumer card data for fraudulent purposes. Skimming occurs when a third-party card-reading device is installed either outside or inside a fuel dispenser, which allows a thief to capture a customer’s credit and debit card information to create counterfeit cards.

Skimming is one type of cardholder data theft and are different than data breaches, which is the physical theft of documents or equipment containing cardholder account data (cardholder receipts, files, PCs, POS terminals), or un-authorized access or deliberate attacks on a system or network environment where cardholder data is processed, stored or transmitted.

Since 2008, NACS and Conexxus have offered convenience and fuel retailers the resources and tools they need to proactively initiate and maintain effective payment security procedures that help reduce the occurrence of skimming.

See how NACS can help protect your business against skimming.

WeCare Decals available through NACS WeCare Program are tamper-evident labels that help retailers identify potential security breaches when a device is opened by an unauthorized person and skimming devices are inserted at fuel dispensers or other unattended PIN-entry devices.

The SkimDefend app, powered by Pinnacle Corporation, is to be used in coordination with NACS’ WeCare Tamper-Evident Decals, in order to reduce the risk of skimming at fuel dispensers. The app will scan and log the unique characteristic of each WeCare decal and locally store the site, time, pump number and decal ID information. Retailers can then use this information (stored digitally) to track any/all pump (CRIND) intrusions and thereby proactively combat skimming efforts, as well as maintain forensic evidence for authorities in the event a skimmer is eventually discovered – as well as help comply with PCI 3.1 guidelines. 

 
 

 About

 

​Skimming: What You Need to Know 
NACS and Conexxus offer context and tips to mitigate the risk of skimming.


Where Skimming Occurs
Skimming can occur at the point of sale or when a card leaves someone’s sight for a brief period of time. Fuel dispensers are among the potential targets for skimming. In these cases, a third-party card-reading device is installed either outside or inside a fuel dispenser, which allows a thief to capture a customer’s credit and debit card information.

There are three types of payment points most associated with skimming:

  • Fuel dispensers: Convenience stores sell 80% of the gas purchased in the United States, and there are approximately 128,000 convenience stores that sell fuel. The U.S. convenience store industry has 765,000 fuel dispensers (customers can fill up on each side of a dispenser) and approximately 1.45 million dispenser payment points.
  • Restaurants and bars: An unscrupulous server can swipe a customer’s card in a skimmer in addition to swiping the card legally when taking payment. There are an estimated 600,000 restaurants in the United States.
  • ATMs: Skimming devices can be attached to ATMs to gather card information. There are about 425,000 ATMs in the United States, and an estimated 150,000 at convenience stores. ATMs located outdoors and outside of a bank are potentially more vulnerable.

In total, these three areas above add up to roughly 2.5 million locations where skimming could be a potential concern.

 
 

 Resources

 

​To reduce the likelihood of skimming, a number of resources have been developed and shared among the retail community and with law enforcement at the federal, state and local level. In instances where law enforcement can determine the start of a skimming attack, detection times have shifted from months and weeks to days or even hours, according to the 2015 Verizon Business Data Breach Investigations Report.

Here are resources to help retailers protect their operations against skimming:

WeCare
Developed by NACS and Conexxus, the WeCare Data Security Program (PDF) provides simple guidelines and best practices designed to reduce the risk of card breaches at convenience store operations.

The goals of the program are clear: define a risk reduction program for small operators that is easy to implement and achieves a base level of data security without incurring significant costs.

WeCare Decals available through the WeCare Program are tamper-evident labels that help retailers identify potential security breaches when a device is opened by an unauthorized person and skimming devices are inserted at fuel dispensers or other unattended PIN-entry devices.

If the label is lifted to insert a skimming device, a "void" message appears on the label, providing a visual alert to customers and store employees that the dispenser or PIN-entry device has been tampered with and action is necessary. The labels help assure customers that the retailer is taking steps to protect their data and discourage criminals from targeting the store.


Webinars
Defending the Island: A Guide to Reducing the Risk of Skimming - Dec 17, 2015 (YouTube)

Conexxus
Conexxus offers a secure database that helps retailers report suspected and identified skimming incidents at their stores. Retailer input kept anonymous, and no IP tracking or user information is collected or stored. Access to the database is only open to retail companies through the Conexxus website. For access to the database or a demonstration, email security@conexxus.org and a Conexxus representative will contact you.

Remember: The easiest tactic to prevent skimming is a simple one. Walk around the fuel island each day and check the integrity of the dispensers, making sure nothing looks out of the ordinary or as if it’s been tampered with. Although no single solution can completely prevent skimming attacks, careful procedures can significantly reduce the risk.

Protecting Payment Card Data at Your Dispensers
Developed by the Conexxus Data Security Committee, this guide (PDF) is intended to provide informed suggestions to fuel retailers on how to enhance the payment card security of unattended payment terminals at fuel dispensers.


ATM Security
ATMs are vulnerable to skimming. A recent NCR Security Update (PDF) outlines the evolution of skimming attacks on ATMs, including photographs of third-party skimming devices used by thieves at ATM terminals.

 

NACS Magazine
Secure Your Pumps
Law enforcement (and the public) increasingly expect retailers to be proactive in combating skimming at the pump. (May 2016)

 
 

 Guides

 

​Fuel dispensers are one of many targets for sophisticated and aggressive thieves attempting to steal customers’ credit and debit card information.

The NACS/Conexxus WeCare Data Security Program includes guidance documents and best practices to address several types of threats, educational resources and webinars tailored to meet the needs of retailers. NACS and Conexxus encourage retailers to develop their own security plan to help prevent this type of theft. No single solution will completely prevent attacks, but careful procedures can significantly reduce the opportunity.

The following are suggestions for convenience and fuel operators to enhance the payment card security of unattended payment terminals at fuel dispensers:

  • Monitor dispensers for high levels of bad card reads or problems accepting cards.
  • Create a reference sheet for employees that outlines what they should look for and post it by the point of sale, such as:
    • Be aware of vehicles parked on the forecourt for a long time period of time—especially at a fueling position—that look suspicious.
    • Be aware of “technicians” who show up to perform unscheduled work on dispensers.
    • Investigate all offline messages at the POS.
  • Train store personnel to perform daily site-level dispenser security checks:
    • Use serial-numbered access security strips to aid store personnel in visual inspection and to assist in the detection of tampering at the dispenser. Log all serial number deviations, and disable pumps that have unexplained access security strip deviations until they can be inspected. (NACS has serialized access stickers available under the We Care Program.)
    • Daily inspection of dispensers to examine locks and panels for tampering (scratching, cuts)
    • Periodic inspection of interior of dispenser payment terminal by qualified service provider for evidence of tampering or skimming.
  • Stay current on security standards, as well as fraud and theft vulnerabilities within the convenience and fuel retailing industry.
  • Work with an equipment service provider to create acceptable standards for technician visits and identification. Train store personnel to ask for identification and confirm scheduled work before any work is done on dispensers.
  • Make sure store personnel maintain an unobstructed line of sight to dispensers so they can observe suspicious activity on the forecourt.

Other pump security investments include:

  • Consider replacing common dispenser payment terminal door locks with ones that are unique to your location.
  • Consider upgrading the dispenser’s flat membrane keypads to PCI-compliant Encrypting PIN Pads (EPPs) with full travel numeric keys that make it difficult to add a fake keypad overlay.
  • Consider adding card readers that provide increased physical protection and encrypt payment card magnetic stripe data.
  • Consider installing dispenser access security kit upgrades for high-risk locations (i.e., close to interstates, high-volume sites).
  • Considering using video surveillance equipment to discourage unauthorized access to dispensers; equipment monitoring should be obvious and post signs that state monitoring is in use.
  • Maintain proper lighting at the forecourt and fuel canopies.
  • Work with equipment providers to create an acceptable baseline for each store location and determine a dispenser upgrade strategy that considers risks, mandates and business needs.

(Disclaimer: The information above was created with the assistance of Wayne Fueling Systems, Gilbarco Veeder-Root, NACS and concerned Conexxus retail members. This guide informatoin is intended to provide informed suggestions to the petroleum retailer on how to enhance the payment card security of unattended payment terminals at fuel dispensers. NACS, Conexxus and participating vendors and retailers make no warranty, express or implied, nor do they assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process described in these materials.)

 

 Contact us

 

​NACS and its technology partner, Conexxus, work in tandem to provide the media and convenience and fuel retailers with necessary information about skimming and payments security.

For media and general inquiries, contact:

Jeff Lenard
Vice President, Strategic Industry Initiatives
NACS
(703) 518-4272
jlenard@nacsonline.com

 For convenience and fuel retailing industry inquiries, contact:

Gray Taylor
Executive Director
Conexxus
(703) 518-7961
gtaylor@conexxus.org

 

Conexxus members collaborate on current and future industry challenges and innovations. Through its Data Security Working Group, the organization identifies best practices and resources to help convenience and fuel retailers protect their operations against data security threats. For more information about Conexxus, its members and initiatives, e-mail info@conexxus.org.