It is said that a chain is only as strong as its weakest link. In the convenience store business, the weak link in payment system security is the fuel dispenser.
Visa reported in mid-March that 90 percent of the U.S. merchants it classifies as Level 1 and Level 2 have validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS) and 99 percent have stopped storing prohibited card data. It also appears that retailers are embracing the PCI Payment Application Data Security Standard, which is designed to insure that purchased applications, like POS software, are in compliance with the overall PCI DSS requirements.
But security at the pump remains non-existent except for a handful of industry-leading chains that understand the importance of payment security and protecting their customers from a breach at the pump. The vulnerabilities of fuel dispensers are well known, not only to the industry, but also to data criminals and organized crime.
Outside the pump, thieves place skimmers over the magnetic card reader slots to capture the track data resident on the back side of the credit or debit card and they place keypad overlays over the membrane keyboards and pinhole cameras in the canopy to steal consumer’s PINs. The inside of the fuel pump is a hacker’s paradise. In many pumps consumer’s PINs are sent in the clear without any form of data encryption over a ribbon cable before being encrypted inside the store. Full magnetic stripe track data from credit and debit cards is also sent over unencrypted on another ribbon cable. Criminals have figured out these vulnerabilities out and are manufacturing bugs and skimming devices designed to target specific fuel dispenser models to obtain the information needed to make duplicate credit cards and then drain people’s bank accounts.
VISA has mandated an upgrade from single DES encryption to Triple DES (TDES) encryption by July 1, 2010, to protect the integrity of the debit PINs across the entire global payments infrastructure. They have done this because they know, as does the cryptographic community, that DES encryption standard can be broken with the computing power now widely available. Many people incorrectly believe, or assume, that Visa’s TDES mandate of July 1, 2010 will eliminate the theft of consumer card data as described above. Nothing could be further from the truth.
Implementing TDES at all PIN entry locations, including fuel dispensers, is good. It is needed to protect the integrity of our debit system. But it does virtually nothing to protect your customers from having their card data stolen by criminals and having to deal with the after effects. Card skimmers, keypad overlays and pinhole cameras outside the pump allow data criminals to get vital cardholder information, even with solutions that support TDES. Inside the pump those easily accessible and usually well labeled ribbon cables are still readily available to criminals who want to install bugs to capture card track data and the personal account number information needed to manufacture duplicate fraudulent cards.
Retailers looking to protect their customers from this potential problem, and to protect their brand from the impact of a data breach, need to look beyond the TDES upgrade requirement and consider installing a truly secure system in their fuel dispensers. A fuel dispenser payment solution that has a raised keypad that prevents keypad overlays from capturing PINs as they are entered and a privacy screen to prevent overhead pinhole cameras from recording consumer PINs as they enter their information. Retailers need a payment solution where the magnetic card reader slot does not look like an add-on to the pump, but is part of the integrated payment device so consumers can easily tell if a foreign object such as a credit card skimmer has been installed over the card reader slot. A truly secure fuel dispenser payment solution will enclose all of the payment system components to hide and protect the data as it is transmitted across the ribbon cables or wires and will also encrypt the information between the components. And finally, a truly secure fuel dispenser payment system should be able to preventing tampering and should detect tampering if it were to occur.
There is more to securing cardholder information than just meeting the PCI requirements or installing a new payment device. All good security systems should have multiple layers of security built in; should be designed to prevent an intrusion or breach; should detect an intrusion or breach if it were to occur and finally take action to any intrusion or breach once it has occurred. Fuel retailers should adopt Fuel Dispenser Payment Security Best Practices designed to provide these additional layers of security prevention and detection. (The complete Fuel Dispenser Payment Security Best Practices can be found at www.verifone.com/pumpbestpractices.)
These Fuel Dispenser Payment Security Best Practices form a sound security management system to minimize fraud through education, routine inspection, vendor management and prompt action. The Best Practices are organized into the three categories:
1. Administrative activities include employee education on data security and techniques used by criminals to attack pumps, checking the identity of anyone working on a pump and reviewing service logs.
2. Physical activities include the physical inspection of payment system components on a periodic basis to visually identify signs of tampering. These also include making sure the store windows are not blocked with signs or merchandise to allow cashiers to have a clear view of all pumps to spot potential tampering attempts, as well as installing mirrors or cameras to provide unobstructed views of remote fuel dispensers.
3. Technical activities cover vendor and service management activities including authorization, identification and logging of service technician activities to insure only authorized technicians work on your fuel dispensers, and only when they have been authorized by a supervisor, store manager or company executive.
The weak link in your security chain is the fuel dispenser. Retailers wishing to protect their customers from fraud and protect their brand from a data breach need to look beyond the TDES mandate that only requires encrypting PINs for debit transactions and install a truly secure payment device in their fuel pumps. Anything less than a completely secure solution is a sort-lived measure that misses its objective. As you evaluate the secure payment options for your store, you should immediately begin to adopt and enforce some version of Fuel Dispenser Payment Security Best Practices. Whether you upgrade the payment device in your fuel dispensers today or delay until next year, the Fuel Dispenser Payment Security Best Practices will help you protect your consumers and your business.
Jeff Wakefield is vice president of marketing for VeriFone and serves as one of his company’s representatives to the PCI SSC Board of Advisors.