The rash of credit card fraud cases connected to skimmers on area gas pumps appears to be part of an international scam, according to the National Association of Convenience Stores (NACS) and the Alachua County Sheriff’s Office (ACSO). Federal investigators said the scam is widespread in Florida — primarily along interstates — and has been found in other states. Florida has become a prime target for credit card skimmers at gas stations this summer in large part because of its ranking as third behind California and Texas in the number of convenience stores, according to the nation’s largest convenience store trade organization. The Sunshine State is home to 9,223 convenience stores, and 7,280 of those stores — or almost 79 percent — have gas pumps, according to NACS, which represents 49 of the 50 top convenience store chains in the nation. An ACSO spokesman said one pattern investigators have noticed is that the card numbers are not used in the same area where they were stolen. Investigators in St. Johns County had documented about 200 victims so far this year, with most reporting card thefts during the summer months. The spokesman said he expects at least 200 victims to be identified in Alachua County this year.
NACS payments consultant Gray Taylor separates fact from fiction, and provide tips for what retailers and consumers can do to minimize the likelihood they are a target.
What is skimming?
Skimming is any attempt to acquire the data from a credit or debit card transaction. At its simplest, it is stealing credit card receipts. Today, it often involves placing a small electronic device over a terminal that the criminal later takes back to download card data. In all cases, the thieves need to open your dispenser to place the skimming device(s).
Is skimming a particular problem at convenience stores/gas stations?
The incidence of skimming at the fuel island is over-exaggerated, as industry data points to retail environments where the consumer gives up possession of the card as the biggest source of skimming. In fact, according to the 2009 Verizon Business Data Breach Investigations Report, the real risk to consumers isn’t retail at all; 93 percent of compromised accounts occurred at breaches within financial institutions. The simple fact is that criminals go “where the money is,” and complicated, site-based hacks of retailers is a high-risk, low-yield proposition.
Consumer Reports magazine and other publications have suggested that customers use signature debit, instead of PIN, to minimize the risk. Is this good advice?
The recommendation that consumers not use their PINs when paying is erroneous at best, and could increase consumer risk of compromise, overdrafts and increases retail prices.
Industry data shows that card transactions without PINs have a six times greater chance of being compromised – which is why PIN usage is the de facto standard for world payments. Consumers who choose not to use a PIN are also at risk for overdraft fees that occur when their bank does not remove debit holds from their account in a timely fashion. Signature-based transactions are processed on the antiquated Visa and MasterCard systems that do not process in real-time, versus the instant operation of PIN debit. Not using PIN also increases the cost of the transactions, which is passed back to the consumer. The Federal Reserve Bank of Kansas City documented that a $50 transaction processed with a PIN cost the retailer 49 cents, while the same transaction processed without a PIN cost the retailer 68 cents – a cost difference of 19 cents.
The assertion that “a lot of gas pumps use older technologies, so PIN codes are not encrypted” is totally unsupported by the facts. With the introduction of master session encryption technology in the early 1990s, fuel dispensers have been required by Visa and electronic funds transfer networks to encrypt PINS or not accept PIN debit. In fact, every one of the estimated 6 million fuel dispenser terminals installed today accepting PIN debit encrypts PIN numbers – as has been the case for the past 15 years. The convenience and petroleum retail segment has invested more than $5 billion in payment systems and technology to provide a safe, fast and accurate card payment experience for consumers.
How can a retailer check if terminals are being skimmed?
Unless you are a trained dispenser technician, you probably can’t tell. We recommend serial-numbered security strips and periodic inspections of them. The idea is to know if the dispenser has been accessed – if a strip is broken, then shut down the dispenser and call in a tech to inspect the pump.
How can retailers minimize the risk of being skimmed?
Here are three simple steps:
Use serialized security strips over all access doors you wish to protect.
Re-key the locks on dispenser doors that have access to electronic payment data.
Consider investing in anti-breach kits for dispensers. Manufacturers now offer anti-breach kits, which generally notify and shut down dispensers that are accessed without proper security code entry. This can be expensive, but is the ultimate line of defense.
What should a retailer do if there is an incident?
Stop the bleeding. Take the dispenser offline to discontinue any more transactions.
Have a tech identify the device, but do not remove or touch it. If there is no device, get it in writing from the tech and restart the dispenser.
Call the police to inspect. Remember, this is a crime scene and the perpetrators are probably doing the same thing to other retailers in the general area. Also, the Secret Service and FBI are frequently involved in large cases; let the police handle this. After the investigation, ask for a dated police report.
You don’t know if any of the cards used at the dispenser have been compromised, so don’t assume that they have been.
Do you have advice for consumers?
Use payment terminals and ATMs at established retail or banking locations, where access to the device is controlled by on-site personnel.
Use a PIN whenever you can; it reduces your risk of compromise six-fold and leads to lower retail prices.
Place reasonable limits on the daily or weekly withdrawals from ATMs.
Even the latest chip and PIN technology currently being installed outside of the United States has proven to be vulnerable to attack. The latest reports of skimming and the recent news of hundreds of company systems being hacked is irrefutable evidence that the United States needs to have a national conversation about payment, identity and access security, and how this country can lead the world to the next generation of data security, instead of following it.
Security Magazine on the Web has more on organized retail crime at www.securitymagazine.com