Rise in Skimming Activity Highlights the Need for EMV
Although accurate statistics on credit card skimming aren’t readily available, it appears that we are seeing a rise in skimming attacks at retail petroleum sites in the U.S. based on the growing number of news reports on the topic. Most recently, a CSP article in October covered the swift reaction of Casey’s General Stores to the discovery of skimmers at six stores in Nebraska. The Wall Street Journal also published an article in September titled “Credit Card Fraudsters Pump Gas Stations for Profit” that highlighted how such attacks could continue increasing ahead of the EMV liability shift for fuel dispensers in October of 2017.
Credit card skimmers are devices used by fraudsters to illegally collect credit card data that can be used to make fraudulent cards. Skimmers come in a variety forms and can be very difficult to spot. On fuel dispensers, skimmers have found both on the outside and inside of the pump. External skimmers are generally overlays that look just like the face of the PIN pad or card reader, and capture the cardholder’s data as it’s entered. Small hidden cameras have even been used to capture customers’ PIN numbers. Internal skimmers are attached to data lines inside the dispenser and capture card data as its transmitted electronically.
Dispenser technologies have improved greatly over the years to overcome many types of skimming devices, but the adoption of EMV in the U.S. will go a long way to eliminate this type of threat by removing the benefits of skimming to fraudsters. Even though the majority of EMV chip cards being issued in the U.S. still have a magnetic stripe that can be skimmed, a fraudulent credit card made from that stolen mag-stripe data cannot be used successfully at an EMV-enabled terminal. Fraudsters are well aware of this, and will continue to focus their schemes on sites that have not upgraded for EMV.
There are several resources available to help petroleum operators learn how to protect against skimming attacks and how to respond if a skimmer is found on their site.
- NACS WeCare Data Security Program
- PCI Convenience Store Employee Data Security Manual
- Gilbarco Guide – “Combat Skimming at the Fuel Dispenser”