Earlier this year, cybercrime groups conducted targeted attacks on point-of-sale systems at gas stations in North America, according to a recent report issued by Visa.
The report reveals that Visa Payment Fraud Detection (PFD) identified and analyzed three distinct cases of fraud among different merchants in Summer 2019. Fuel merchants are an increasingly attractive target for cybercrime groups and have seen an increase in these attacks, Visa says, due to their lack of secure payment technologies like EMV Chip, contactless and tokenized payments.
Instead, these merchants’ point-of-sale systems rely on magnetic stripe transactions, wherein you swipe your credit card to make a purchase, which is what these attacks targeted.
Visa pointed out in the statement that this method of compromise is not the same as traditional skimming fraud methods, which are often detectable by sight or touch and now even by mobile app. Instead, it targets the merchant’s internal network and is more technically advanced.
While Visa did not identify the compromised merchants, you should evaluate your credit card statements, and continue to do so regularly, to ensure your information is safe and no fraudulent transactions have occurred.
More secure payments at fuel pumps
“Fuel dispenser merchants should take note of this activity and deploy devices that support chip wherever possible, as this will significantly lower the likelihood of these attacks,” Visa says.
Consumers won’t have to wait long for widespread adoption of more secure devices; in October 2020, liability for instances of fraud at gas pumps will shift to fuel merchants. After that liability shift, any fuel merchants that have not installed EMV-enabled card readers will be liable for any cases of fraud that customers experience. EMV Chip and contactless cards, as well as mobile wallets like Apple Pay, are among the most secure payment methods available for consumers.
But there are ways you can protect yourself at the pump today. When paying with a card, always choose a credit card over your debit card. “Using a credit card at a gas pump is much safer than a debit card, because if a debit card is hacked, it provides direct access to your checking account,” says Ted Rossman, industry analyst at Bankrate. “You’ll get the money back as long as you report the theft promptly, but it could take two to four weeks. You’re not liable for credit card fraud either, but in that case, it’s not ‘real’ money. It’s just a line of credit, which is much easier to restore.”
Make sure you’re using a card with an EMV Chip or contactless technology and always choose to dip or tap your card when the option is available. Many fuel merchants, like ExxonMobil, Shell and BP have even started offering payment through mobile apps. These mobile payment platforms not only increase security through your phone’s biometric data, but often offer additional savings as well.
If you’re at a fuel station that only allows you to swipe your card for payment, consider going inside to pay with cash. You can also take your credit card inside to see if the merchant has a more secure point-of-sale system at the counter and pay with your card there, so you don’t forfeit any fuel points and rewards.
And while these attacks used different measures, skimming is still a prevalent fraud method at gas stations. Be attentive when you pull up to the pump. “Look for signs that the payment terminal has been tampered with — for instance, if the card slot wobbles or your card doesn’t seem to fit correctly,” Rossman says.