Gas stations and convenience stores continue to be victimized by skimming devices, which continue to pop up all over the nation. All too often, a lack of solid policies and procedures allow the breaches to occur. Understanding the risks can help you deter breaches.
There are two kinds of skimmers: external and internal. External skimmers can be quickly installed by criminals who don’t need to gain access to the inside of a dispenser. The most common version of an external skimmer is a keypad overlay that aligns with the buttons of the real keypad below it and records the PIN numbers when entered.Internal skimmers are attached inside a fuel dispenser. They are portable magstripe readers which are inserted into gas pumps after cutting the security tape or circumventing the lock systems on the pumps. They are more difficult to install and more difficult to notice, but are the ones making the news lately.
Skimmers gather personal information during the transaction process, which criminals then use to create their own cards and access money from victims’ accounts. The U.S. Secret Service has indicated that a skimmer installed in a busy gas pump can acquire 40 to 50 cards in a couple of hours. To prevent skimmers from being installed, retailers use either security tape or proprietary lock systems. Lock systems are more expensive, but much more effective.
The State of Skimming Prevention
Conversations with retailers—and our store checks—indicate many operators need to take stronger precautions to protect themselves and their customers. In some cases, no security measures are being taken to ensure that skimmers are not making their way into the pumps. Retailers can be more vigilant, especially with security tape. We advise retailers to develop and deploy consistent practices to inspect pumps to identify tampering or breaches. Retailers who do have inspection procedures in place need to verify that those inspections are being completed. Sometimes breaches occur because the inspection procedures are not being carried out routinely.
Help is on the Way…slowly but surely
EMV should help rein in the losses from skimmers. Yet, EMV at the pump is almost two full years away. More importantly, the US is using chip and signature, not chip and pin. EMV cards issued in the US still have magstripes, which can still be read by a skimmer device.
Retailers will continue to be on the hook for fraud and the amount of liability will be dependent upon agreements between retailers, processors, PCI compliance and eventually EMV compliance.
In addition, as we learned from Target and many other retailers, security breaches are very high profile and can result in a significant loss of customers. Retailers need to make sure they are PCI compliant and pump security procedures are consistent and effective.
While there are no ways to absolutely eliminate the possibility of a breach, the likelihood can be reduced if retailers are diligent to put the right measures in place.