Skim This! | NACS Online – Magazine – Past Issues – 2009 – November 2009
Sign In Help

The Association for Convenience & Fuel Retailing

Skim This!

By Tim Weston

"Our technicians have been finding one to two of these devices every week," said Ideco-NV president Robert Wallace, referring to a small circuit board his technicians have been pulling out of gas pumps recently. The devices are used to steal credit and debit card data in a process called "skimming."

According to Wallace, whose com­pany services fuel dispensers in Las Ve­gas, Nevada, the problem is becoming increasingly costly for everyone. One thief pulled account data from a single card at a Las Vegas convenience store and withdrew more than $20,000 from a casino less than two hours later. By the time the breach was detected, the suspect was long gone.

Skimming Basics
These days, the bad guys have become sophisticated in their methods of retail data theft. The good news is that fuel dispenser companies now offer secu­rity solutions that can prevent access to the inside of the cabinet and deter data compromise.

Skimming is a catch-all term for a range of ploys designed to defraud credit and debit card users. Numerous techniques abound, but the method ref­erenced by Wallace is particularly wor­risome for convenience store owners in Nevada, Florida, California and Texas, where a high volume of interstate traf­fic circulates through a concentrated group of stores.

Thieves compromise fuel dispensers by opening the unit and inserting a memory device between the customer interface and the payment system. The device looks like an open circuit board, two inches square, with ports that con­nect to the card reader and PIN pad.

Once the card information has been intercepted, it’s transmitted wirelessly to a personal computer and then either transferred onto a blank credit card or stored in bulk. That fully functioning credit or debit card can then be used for making purchases or withdrawing money from a linked account, as seen in the Las Vegas case.

Once the skimming device is in­serted into the pump, it can be weeks or months before it is detected. During that time, every transaction is recorded and stored for criminal use. Dispensers can easily service more than 100 customers each day, so even after a week’s time this adds up to a huge amount of stolen data.

First Line of Defense
Faced with these kinds of data threats, it is more important than ever for fuel retailers to secure their operations.

Contemporary dispensers include a host of features aimed at deterring card fraud often not found in older equipment — restricting access to the main cabi­net, for example, where thieves might in­sert a skimming device. On more advanced models, tamper-resistant screw fasteners and separate access doors for routine maintenance can also reduce the need to open the main cabi­net. Newer dispensers also feature ac­cess keys customized for each retail outlet — although some retailers with older dispensers are retrofitting units with lock sets obtained directly from manufacturers.

Skimmers typically look for easy tar­gets, so many dispensers make access highly visible. "Refrigerator-style" cabinet doors make it obvious when a dis­penser is being accessed. Bezel locking kits and built-in keypad privacy shields and surface angles minimize opportu­nity for criminal surveillance cameras.

Internally, clean cable wirings make it easier for technicians and operators to discover foreign objects. A few dispensers come with sensors that alert store personnel if a cabinet is opened. A loud alarm sounds, disables the dispenser and sends an instant message to alert the POS that the affected dis­penser has been taken off-line.

Securing Data
Another line of defense against card fraud is securing credit and debit card data. With the problem growing across multiple retail segments, the Payment Card Industry (PCI) has stepped in with a series of regulations designed to pro­tect consumers, retailers and the bottom line. Right now, PCI security mandates are "one size fits all," and so specific pro­cedures related to securing card opera­tions of dispenser payment terminals are omitted — but retailers should real­ize that a breach is still a breach and dis­pensers are not out of scope!

To remain fully compliant, retailers must upgrade their payment systems to new PCI standards by July 2010 to protect consumer data security for PIN-based debit cards. Complementary to PCI’s security requirements for POS ap­plications, the new PCI Encrypting PIN Pad (EPP) standards require dispensers to use Triple Data Encryption Standard (TDES) to secure PIN information, as well as tamper-resistant keypads, or ex­isting Single Data Encryption Standard PIN pads with Derived Unique Key per Transaction (DUKPT) — for the time being. Any retailer still supporting Master/Session PIN pads will be out of compliance next July.

These features can be found on higher-end new dispensers. Often, TDES upgrade kits from the manufac­turer bring dispensers up to date with the latest card security technology, complying with Version 2.0 of the PCI EPP security requirements. Kits inte­grate seamlessly into installed units and can be upgraded to accommodate future requirements.

What’s Next in Card Security
The next frontier in card security is establishing an interoperable encryp­tion standard that secures card data from the moment it enters the pay­ment system all the way to the credit card company. Many in the petroleum retailing industry are actively work­ing with payment processors, mer­chants, standards organizations and card associations to facilitate the adoption of such a standard.

Back in Las Vegas, Wallace expects thieves to continue finding ways to compromise the system. The "safe money" — as they say in Vegas — is to use the right mix of vigilance by store employees and aggressive tools to safe­guard operations, giving retail owners the best odds.

Tim Weston is product manager for Payment Technologies, Dresser Wayne. He can be reached at tim.weston@dresser.com.