02
Dec 16

Visa Delays Chip Deadline for Pumps To 2020

Visa this week delayed by three years a deadline for fuel station owners to install payment terminals at the pump that are capable of handling more secure chip-based cards. Experts say the new deadline — extended from 2017 — comes amid a huge spike in fuel pump skimming, and means fraudsters will have another three years to fleece banks and their customers by installing card-skimming devices at the pump.

Until this week, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Under previous Visa rules, station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks eat most of the fraud costs from fuel skimming). The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone.

This week, however, Visa said fuel station owners would have until October 1, 2020 to meet the liability shift deadline.

A Bluetooth-based pump card skimmer found inside of a Food N Things pump in Arizona in April 2016.

A Bluetooth-based pump card skimmer found inside of a Food N Things pump in Arizona in April 2016.

“The fuel segment has its own unique challenges, which we recognized when we first set the chip activation date for automated fuel dispensers/pumps (AFDs) two years after regular in-store locations,” Visa said in a statement explaining its decision. “We knew that the AFD segment would need more time to upgrade to chip because of the complicated infrastructure and specialized technology required for fuel pumps. For instance, in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete. Furthermore, five years after announcing our liability shift, there are still issues with a sufficient supply of regulatory-compliant EMV hardware and software to enable most upgrades by 2017.”

Visa said fuel pump skimming accounts for just 1.3 percent of total U.S. payment card fraud.

“During this interim period, Visa will monitor AFD fraud trends closely and work with merchants, acquirers and issuers to help mitigate any potential counterfeit fraud exposure at AFDs,” Visa said.

Avivah Litan, a fraud analyst with Gartner Inc., said the deadline shift wasn’t unexpected given how many U.S. fuel stations are behind on costly updates, noting that in some cases it can cost more than $10,000 per pump to accommodate chip card readers. The National Association of Convenience Stores estimates that station operators will spend approximately $30,000 per store to accommodate chip readers, and that the total cost to the fuel industry could exceed $4 billion.

“Some of them you can just replace the payment module inside the pump, but the older pumps will need to be completely removed and replaced,” Litan said. “Gas stations and their unattended pumps have always been an easy target for thieves. The fraud usually migrates to the point of least resistance, and we’re seeing now the fraudsters really moving to targeting unattended stations that haven’t been upgraded.”

The delay comes as some states — particularly in the southern United States — are grappling with major increases in fuel station skimming attacks. In September, KrebsOnSecurity published a detailed look at nine months’ worth of fuel pump skimming incident reports filed by police and regulators in Arizona, which said it saw more fuel station skimming attacks in the month of August 2016 than in all of 2015 combined.

That report about Arizona’s skimmer scourge found that thieves tend to target pumps that are furthest from the pump station and closest to the street. They also favored stations that did not employ basic security measures such as tamper-evident security tape and security cameras.

Crooks involved in fuel pump skimming generally are tied to organized crime gangs, as evidenced by this Nov. 2015 investigation into fuel theft gangs operating in Southern California . The thieves most often use stolen master keys or bribery to gain access to the pumps. Once inside the pumps, the thieves hook up their skimmer to the pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely. Increasingly, these thieves are installing Bluetooth-based skimmers that can transmit stolen data wirelessly, allowing thieves to avoid taking the risky step of retrieving their skimmer gear.

Some pump skimming devices are capable of stealing debit card PINs as well, so it’s good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

“That’s exactly the sort of advice fuel station owners don’t want given to consumers,” Litan said. “For filling stations, credit is their least favorite form of payment because it’s the most expensive for them, which is why some stations offer lower prices for debit card transactions. But consumers should never use a debit card at a gas station.”

Want to learn more about skimming devices? Check out my series, All About Skimmers.

Tags: , , , , ,

101 comments

  1. Aside from the security problems mentioned in the article, debit cards will grab a “preauthorized” amount from the account (usually somewhere between $75-150), which can generate over-balance fees for the purchaser, until the actual amount of the transaction clears the account. This is to a degree a holdover from the bad old days when gas was north of four bucks a gallon.

    • Robert.Walter (Squire Strat)

      The large pre-with is also because the pump has no way to distinguish between a motor home or a smart car. So the pre with is in a one size fits all amount.

      • Oddly, in Canada where they use essentially the same pumps, all the pumps I’ve used recently use EMV, and let you decide when you start how much to preauthorize if you think the $100 default is too much.
        What do they know that Americans don’t?

        • Perhaps the Canadian companies that you speak of are better “civic-minded corporate citizens” than their “heartless money grubbing” US counterparts?

          • Or perhaps the Canadian companies are required by law to serve their customers rather than having laws rigged so the customer serves the company?

            • Or, perhaps the banks could just release the pre-auth amount promptly when the completion comes through. This really isn’t a problem created by retailers – it’s the (many, but not all) banks that refuse to release the pre-auth amount promptly after the sale.

            • Or, banks could just promptly release the pre-auth amount as soon as the completion comes through. This really isn’t something caused by the retailer – but the many (although not all) banks that don’t close out the transaction promptly.

              • Banks automatically release pre-auths based on matching debits. If the pre-auth was for $75 and the actual debit was only $30 then their system won’t clear the pre-auth. This is exactly how it’s supposed to work, because there’s no way for an automated system to know that a $75 debit isn’t still expected – and banking system pre-auths are designed to protect customers from double-committing funds and potentially incurring overdraw fees.

                System pre-auths are a lot shorter than the card scheme auths they replicate, but if an auth is causing inconvenience it’s a simple matter to call the bank and have them clear it. They’re just not psychic is all.

                • Actually, if the merchant clears/adjusts the preauth properly, referencing the blanket amount first authorized, it´s no problem for the bank to clear the block.
                  Not all merchants do that properly, sadly.

                  The bank indeed is not psychic so it removes any pre-auth block at it´s own financial risk, if it is not 100% sure it relates to a following clearing for another amount.

        • As of 2014, CTV [1] was reporting on > $100 holds for gas

          I’ve used a credit card in a bunch of regions in Ontario, and I can’t remember it saying anything. OTOH, we were usually filling-to-full — I was paying for gas for someone else + their car and thus wasn’t interested in getting some dollar limited amount of gas…

          I think what you’re seeing is pumps that let you specify the dollar amount of gas in advance. That’s been around at some stations in the US for over a decade (I haven’t traveled the US in a decade, and I remember it from before then).

          [1] http://canada.creditcards.com/credit-card-news/6-insights-about-authorization_holds-1264.php

  2. In the meantime, use the chip-reader inside the station — I know, kind of inconvenient, but if you’re paranoid and skimmers become rampant… Or, by 2020 just obsolete the fuel pumps, since we’ll all be driving Teslas and riding around in driver-less Ubers anyway.

  3. Meanwhile, people tend to see no problem with retailers using Square and Square type card readers connected to various iPad type equipment.

    • Tokenized transactions my friend.

      • lol….yeah….ok

        • Well now that wasn’t much of a rebuttal, Mikey. Kinda weak, actually. So at this point I’m thinking tokenization is the shizzle. The jizzle. The mofo mizzle!

          • People can think what they want. I just see no point in saying on one hand that the mag strip is bad then saying it’s good. Tokenizing isn’t even a variable here. If we are going with chip and doing away with mag strip as a security measure then I have to see Square as a security risk.

            Otherwise, this entire article means nothing.

            • Then you are deliberately being ignorant. What is bad is a mag stripe that is permanently tied to your card. If all they get from a “swipe” is a one time use token which still requires separate secure information from you to be valid, then that wouldn’t be an issue.

              So, by focusing on the mag stripe, you are ignoring the whole motivating point of this article:

              1. Switching to a more secure form of payment is so “burdensome” that the deadline is being extended by two years.
              2. There is no incentive to provide customers with more secure options in the interim.

              The square and competitor readers that support tokenized payments are examples of #2. Where even if the place you shop is being lazy, you can at least use existing tech in a way that’s more secure.

              For example, I use Samsung Pay almost exclusively instead of my physical credit cards. Its convenient – I don’t need to dip a card for a chip to be read, fast, convenient and secure. It works almost everywhere except. . . card readers that require you to “dip” your card…which is about 100% of fuel pumps in the US (which have card readers).

              So even though my general payment behavior is secure, in the face of, what’s generally now understood to be, an unsecure platform, I’m stymied due to the issues upgrading fuel stations. If those could be upgraded to Square type readers, I could continue being secure (without falling back to my chip enabled cards inside the station [if that’s even available]) and the everyone else can continue being lazy (allow mag swipes)

              • Then there is no point in going with a chip based system. Which is what everyone is complaining about, that the card companies are saying, that creates this mess since there does not seem to be much fire under anyone to move to.

                If it’s just the reader, then why chip?
                If it isn’t the strip, then why the chip?
                If it isn’t the chip, then why get so bent out of shape?

                The card companies are making moves (although slowly) to chip. This tells me that the life span of the strip is limited at this point regardless of the reader.

                The level of ignorance, intelligence, or apathy for me, you, or anyone else really isn’t a variable. Card companies and retailers (brick and mortar or online) will make these decisions for us (likely at the direction of government).

        • Just to clarify, I was thinking about chip or NFC transactions through square. Not the swipe transactions.

    • Square has EMV/NFC for the US market (oddly, I can’t find it for the Canadian market, which is further along in the Chip transition):

      Square Contactless and Chip Reader $50 [1]

      > Accept chip cards and NFC payments with Square’s most advanced reader yet. Plug it into Square Stand or connect wirelessly to your mobile device.
      > Pay just 2.75% per Apple Pay, Android Pay, or dipped EMV chip card transaction.
      > Included: Square contactless and chip reader; Square magstripe reader; Micro USB cable
      > Payment Types: EMV chip cards; Apple Pay; Android Pay; Samsung Pay; NFC cards; Magnetic-stripe cards (with included magstripe reader)

      [1] https://squareup.com/shop/hardware/products/chip-credit-card-reader-with-nfc

      • I might would accept this. I just haven’t seen this before. None of the retailers I’ve come across use it. But I will be looking for this.

        Thanks for sharing this.

  4. If you end up getting skimmed, scammed and fleeced after January 2017, perhaps you should simply send the bill to the Trump administration.

  5. On one hand, they have the option of disabling pay at the pump until they can get the necessary hardware (especially since some gas stations, like 7-Eleven and Shell, now do EMV inside). On the other, it probably wouldn’t look good for Visa/MC if gas pump EMV acceptance was as poor as in-store immediately after their respective liability shifts, especially since at least a couple of stores are suing them for exactly the reasons described in the article. I almost wonder if things would have gone better had the original liability shift dates been something like 2018/2020 instead of 2015/2017 (now 2015/2020).

  6. “…it can cost more than $10,000 per pump to accommodate chip card readers.”

    How can a fellow invest in the companies that do those installations? 🙂

  7. “on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip” Instead of pushing the required by date out 3 years why don’t they pass a percentage of the cost to the pump owner (say 10%) that might speed up the adoption rate.

    • Here’s the challenge: there aren’t enough people in the pump tech industry to do all of the work (which, if pumps need to be replaced, typically requires tearing up the forecourt of the station which in turn requires permitting, etc.) in the timelines that were set. The two companies that make nearly all of the AFDs for the US market (Wayne and Gilbarco) understood this – so they didn’t want to build inventory that wasn’t likely to be sold quickly. This in turn led to shortages of equipment and parts as well. Also a problem was the certifications that needed to be secured for all of the equipment (U/L, various states’ Weights and Measures, etc.) Contrary to popular belief, for the most part gas stations aren’t very profitable businesses – this is a YUGE expense for them – and no one is really incentivised to move quickly.

  8. Is it still OK to pay with CASH?? 😉

    • I always pay cash. I refuse to ever use any plastic anywhere for anything when it comes to making purchases. If more people would use cash as protest then maybe they would start losing money and figure out they better get serious about this.

      • “If more people would use cash as protest then maybe they would start losing money and figure out they better get serious about this.”

        Huh?
        Gas stations love when you pay with cash (for multiple reasons).
        They don’t have to pay any fees to the credit card companies and you’re in the store where you might buy more stuff from them.

        • The “they” he was referring to was the credit card companies, not the gas station owners. 3% of 0 is 0.

        • In NY state at the vast majority of gas stations there are two prices for a given grade of gas: one if you pay cash and one if you pay credit. The cash price is usually 10¢ less than the credit price.

        • I was referring to the banks/credit card companies when I said “they”. I guess I should have made myself clearer. Sorry about that.

    • Not at Costco gas pumps. They only take debit cards or their branded credit card. I have no use for their branded credit card, so I use my debit card. At least they have security tape on the pumps and readers and employees walking the pumps, so I’ll take the risk with my debit card and save about $.30 / gallon vs. the convenience store about a mile away from my house. Recently, it was $.40 / gallon. Oh, and the Costco location is about 2 miles further from my house than the convenience store, so I do come out ahead by making a trip to Costco even when I don’t need anything from the store.

      • Not true. For the past several months, Costco (in-store, pump, and online) has accepted all Visa cards. Yahoo!

        • Yeah, Costco has single-sourced the credit-card-payment-network it uses (as did Priceclub before it, for a while one of them used Discover).

          From a Marketwatch article about the changeover:
          … Costco Wholesale Corp. has started to issue new Visa cards to its customers, who after June 20[, 2016] will no longer be able to use their former Costco cards from American Express.
          … In 2014, Wal-Mart Stores Inc. switched its co-branded credit cards from Discover to MasterCard. And in 2013, Capital One sold its Best Buy co-branded credit-card portfolio to Citigroup. After that switch, Best Buy changed its credit-card processing partner from MasterCard to Visa.
          … Costco will also accept non-cobranded Visa cards.

          [1] http://www.marketwatch.com/story/5-things-to-know-about-the-costco-and-amex-breakup-2016-02-11

        • I forgot about that since my credit card is a MasterCard. My credit union only offers MC branded credit cards, so switching would be a pain just to be able to use it at Costco fuel pumps.

          • Your CU credit card gives you better rebates than the Costco Visa card? That would be amazing; our CI card has lame rewards.

            You might revisit Brian’s excellent recommendations about never using a debit card where a credit card can be substituted.

  9. One more reason to use an oil company credit card. If the card is skimmed at the pump, the company that didn’t install the readers takes the brunt of the loss, and your debit and general-purpose credit cards are relatively safe.

    JR

  10. Wow….until 2020 crooks take how much u can
    So…i guesss 2020 will get chip somewhere else not just on cards
    Plus… bitcoin will be global currency.
    With help of marxist criminal agents who help criminal gangs to steal…the nwo will be on the corner.
    Guess 3 years. And survelaince and total control will be
    But average joe…go to work. U cant do nothing about it just watch tv and mcdonalds.

  11. Guess I’ll be buying overpriced Exxon gas with my Speedpass for a few more years.

  12. Almost seems it would be cheaper and safer for gas stations to no longer offer pay at the pump. All purchases will have to be paid inside. And remove all the payment systems from the pumps. If I owned a gas station thats how I would have it.

    • Stations could do that, sure, but then consumers would just vote with their wallets and drive a few feet further down the road to a station that does accept cards.

      • True. I know people who have had their cards compromised several times and still use them at the same places all the time. Its almost like most consumers care less than the banks or credit card companies. So ya your probably right. Its a shame.

        • Sure, and aside from a small hassle factor, why would a consumer be that worried about card compromise? It doesn’t cost ME anything [directly], and can happen anywhere. For that matter, if &retailer has had a problem recently, then one might imagine* that &retailer is likely to be VERY secure now that they’re paying attention.

          *One might be wrong in that imagining, but in most cases, it’s probably a reasonable bet.

        • Of course consumers care less, since they aren’t liable for fraudulent charges their risk is much less.

      • If a fuel supplier e.g. Shell would install EMV on all their gas stations and advertise this country wide in a commercial pointing at the financial security this feature offers to their customers.

        Then the ‘wallets’ will vote for Shell…

        • Shell is just the banner. They don’t actually operate the gas station. It’s on the operator to maintain and upgrade the pumps. That’s money that Shell, BP, Conoco, etc aren’t on the hook for, so they would never offer to pay it when they don’t have to.

          • Bingo – most (but not all) gas stations in the US are operated by independent dealers or franchisees. The only way a MOC brand could get 100% compliance would be to pay for it – and that’s not economically feasible given the size of the investment required.

      • Which I have done many times in the past.

  13. Christopher Lewis

    I’m sure that the companies are way to busy updating all the pubs with the GSTV displays to be bothered with updating the card security…

    • Sadly this is true. I have no idea why GSTV was ever a priority for anyone. But I am guessing there there aren’t any regulatory or permitting issues there – it is a relatively simple add-on to an existing pump.

  14. Skimming has nothing to do with EMV – EMV transactions still send data in the clear, and the US has not implemented PIN with it’s EMV effort.

    • I can’t tell if you’re just trolling or stupid. EMV has everything to do with skimming. Yes, data is still stored on magstripe in plain text. The point is, physical card fraud is way more lucrative than online fraud, which is all that any intercepted chip card data is good for. Quit trying to confuse the issue.

      • It is the mag strip on the back of the chip card is where the fraud is happening not the chip itself.

        That’s why I have switch to using my phone utilizing NFC or use the chip card as much as possible unless I have no choice of retailers.

    • Each form of credit card payment provides a distinct identifier.

      Originally it was just the account number + expiry:
      – This is pre imprint, pre-magstripe
      Imprinting didn’t change this.

      Not included on the card is billing address.
      Merchants and payment processors can choose to try to process a payment with fewer pieces of information. But the less information they provide, the more likely liability will be transferred to them in the case the cardholder complains.

      Then there was CVV1 which is encoded in the magstripe.

      If you want to make a cloned card for use as a magstripe, you can’t use an imprint to recreate the card information. You need to read the magstripe for CVV1.

      CVV2/CVC2 was added for CNP (Card Not Present), you can’t perform a complete CNP transaction using a magstripe recording because you don’t have the CVV2/CVC2.

      EMV payments use a cryptogram based on a key that isn’t related to CVV1/CVV2. So, capturing an EMV transaction doesn’t enable you to perform CVV1 (magstripe) or CNP transactions.

    • Yes, some card data is sent in the clear during EMV transactions – BUT – it’s not enough data to create a counterfeit mag-stripe card, not enough data for card-not-present transactions, and it includes a transaction cryptogram that verifies that the genuine physical card was used (which is unique for each transaction).

      Chip & PIN is the best implementation because it makes it harder to use a stolen or found card. It’s the signature part of chip & signature that’s the weak link, not the chip – the card is still protected against skimming.

  15. Seriously, I don’t understand why Americans have such a hard time with EMV cards. I live in Canada and most pumps here accept chip-and-pin cards. That doesn’t mean that skimming never happens anymore (http://www.metronews.ca/news/calgary/2016/08/18/calgary-police-say-card-skimming-more-common-at-pumps.html).

    • Canada is a *small* country (by population, and car count — relative to the USA).
      Canada has very few payment processors.
      Canada has very few gas networks.
      Canada has very few credit card issuers.
      Canada has very few gas stations.

      Also, I believe that here in Canada the payment terminals are more likely to be owned by the payment processor than by the merchant, which makes it easier for the processor to manage the upgrade.

      Probably most importantly: there is essentially a single national debit network (Interac) in Canada vs. closer to two dozen in the USA.

      Interac pushed for EMV support early [1], which means that it essentially pushed the vast majority of merchants to support EMV without waiting for the credit card companies to issue cards.

      It isn’t quite this simple. The EMV Visa deployment in Canada wasn’t perfect, and the AmEx deployment is also sorts of pain. Plus the idiots who manage payments insist on charging a premium for certain features (e.g. Tap), which means that merchants choose not to accept it.

      [1] http://www.smartcardalliance.org/secure/events/20140205/johnsonl.pdf

      • please try to replace ‘Canada’ with ‘Europe’ and see how many of your 5 arguments are still true (I guess none or almost none of them…)

  16. Completely the wrong direction. VISA/MC should be moving toward Chip and PIN rather than pushing out the due date of the meager security improvement by Chip only.

    I say this as I’m reading this article while taking a timeout from changing all my autopay accounts due to the third VISA CC hack in two years.

    This is getting VERY old.

    jim

  17. It seems like Visa is ignoring the skimmer threat with that 1.3% fraud statistics — at least if I’m reading it right, that’s just saying that only 1.3% of fraudulent transactions occur at the pump…not what % of compromises do?

  18. Maybe i’m misreading, but this blog post seems to infer that gas stations will be footing the bill for fraud that comes as a result of card skimming that occurs at their fuel pumps, but that simply isn’t the case. There is no system in place for tracing stolen cards back to where the skimming occurred and holding that establishment accountable. We’re not talking about millions of cards being stolen as the result of a major breach.. thats an entirely different matter.

    “Visa said fuel pump skimming accounts for just 1.3 percent of total U.S. payment card fraud”

    Is this meant to say that fraudulent transactions at fuel pumps account for only 1.3% of the total U.S. payment card fraud? These are two entirely separate things. How does VISA know where all card SKIMMING occurs?

    Gas stations that do not support EMV will be on the line for fraudulent transactions that occur at their terminals using compromised (stolen, reproduced) EMV-capable cards.. No different than retailers. One of the primary reasons why retail establishments have adopted EMV at a snail’s pace is simple. The cost of converting to EMV capable readers greatly outweighs the cost incurred by footing the bill for fraudulent transactions. The return on investment simply isn’t there.

    Come 2020, gas stations are going to run the numbers and still balk at the idea changing out their pumps. We’ll be lucky to have full EMV adoption before 2030. Most gas stations won’t change out their pumps unless they have another motivation to do so.

    • Because they don’t just skim one card and cash out. They skim every card that comes through. When fraud occurs the banks share notes with one another for common places of purchases for the cards that have been used for fraud. Find enough cards used at the same location that were later used for fraud and you have the location where the card information was skimmed, stolen, etc.

      They most certainly can and do go after places that have failed to adequately secure and maintain their pumps. It’s all in the contract they sign. One station I used to live near had their pumps compromised so many times they were no longer allowed to have on-pump readers, cards were only allowed in the store – and had to be handed to the attendant with matching photo ID. Needless to say I was in no hurry to revisit that station.

      • I think Grit’s point is that the gas stations themselves don’t suffer any losses when there are skimmers on their pumps. The fraudulent cards, made from the skimmed data, are used at other stores to purchase items or gift cards that can be converted to cash. The place that needs the chip readers are the places where the fraud occurs, not where the skimmers are located. Most places where I shop now have the chip readers. I suppose someone could use a fraudulent card at a gas station, but how much gas can you pump?

        • “How much gas can you pump?”

          I can answer that: about $1,500 worth. The scam is this:
          -bribe the station attendant to ignore everything
          -stand out at the pump with a stolen credit card in pocket
          -tell drivers who come for gas that they will get a big discount for paying you with cash
          -pump the gas for the drivers, swipe the stolen card at the pump
          -collect cash from the drivers.
          -repeat until the card is declined.
          -use another stolen card and continue.

          …my copied card was used in this manner a few years ago.

  19. IRS iTUNE cards (real)

    In other wards don’t pay at the gas pump, pay inside.

  20. We can spend the next 100 years battling this, or we can require the death penalty for skimming fraud – voila problem solved.

  21. I wonder if the Bluetooth skimmers have been certified for use in an explosive environment per National Electrical Code Article 514? So not only will they grab your data, they might discharge enough energy to ignite gasoline vapors, doubling the nastiness.

  22. Great discussion. A few comments:

    – I have not checked lately, but my understanding is that fraud done to a debit card is NOT covered by the bank and the owner has little recourse for the loss.

    – Protesting and helping vendors by paying with cash is a great idea. How many will make the effort?

    – Investing in companies that provide equipment services to gas stations is a great idea at least for the short term. We’ll see if they someday start installing “Recharge pumps”.

    – CC fraud spotting is getting better and better. Chase is sending me more and more email alerts when I go out of my normal spending pattern. ALL credit card should have this. I may not have to pay for a fraudulent charge, but having to go back later and dispute charges is not as easy as responding to their questions when they show up after something they find suspicious.

    – Brian: Is there an app that we can use to detect skimmers? I would love to have one of these on my phone so I can notify the business owner if I find one. It would be nice if there was a bounty on them! 🙂

  23. Why oh why do people still use normal credit cards. Use prepaid credit cards or top up cards. Minimises any loss and no connection back to your bank accounts.

  24. I am very disappointed to hear about this delay in the requirement to upgrade to the chip technology for gas pumps. It’s unbelievable to me that MasterCard and Visa are willing to underwrite the cost of fraud at the pump for the next three years. The criminals are going to be laughing all the way to the bank!

    Meanwhile, there is another portion of this unnecessarily painful transition that will go begging. Our chip cards aren’t as secure as they could be because they still have the mag strips, which contain all the personal information from the card user in an insecure format. Our “secure” chip cards are still vulnerable, not just from skimmers, but from RFID readers – not because of the chip – but because of the mag strip. Once all businesses move to chip readers, then cards can be issued with only the chip and no mag strip. All credit cards issued have to remain backward-compatible with mag strip readers until the transition is complete. With this latest development, the transition is not likely to take place now until years after 2020. And that’s not even taking into account the changes needed to add the pin component to these chip cards.

    This development underscores exactly why, when the fraud shift was implemented for retailers in 2015, we should have moved directly to chip and pin, instead of limping along with chip and sign. If chip and pin was required for the retailers, at least we’d be done (until the next big thing comes along, anyway) but the card issuers and banks in this country opted for only half a loaf (for totally self-serving reasons, in my opinion). I think the next transition to chip and pin will be just as painful, and unnecessarily so. It’s like taking off a band-aid one millimeter at a time, when it would be a lot less painful to just rip it off.

    • Agreed – had the card networks mandated the move to chip-n-PIN + end-to-end encryption we could have really taken a bite out of this scourge for the foreseeable future (at least in the brick-n-mortar arena). And if the card networks had used some of those billions in profits to help underwrite making the payment ecosystem safe, we’d be done by now.

    • I agreed. That’s what I have said to many people in regard to the mag strip being the problem and the cause of fraud. I still have people think the mag strip is fine when it is not. I even had one lady likes keeping the mag strip and insist to the bank not issue the chip card. I replied “what are you going to do when the bank send you a chip card?” The look on her face is priceless, I replied, “the bank is going to send you a chip card whether you like it or not.” What you have here is resistance to technology that would have nip things in the bud early on by enforcing the Chip + PIN.

      I find it easier to use my phone using NFC to pay for things until the transition is permanent. By then, it will be standard.

    • I think in general that banks are on the hook for most of the fraud charges [1].

      [1] https://www.nerdwallet.com/blog/credit-cards/merchants-victims-credit-card-fraud/

  25. It comes to no surprise that there would be a delay considering the fact they have not been any effort to switch rather doing the half loaf process. The only reason they are doing this is that many of the customers have more than 2 cards to remember the PIN and the banks don’t want to lose money if it makes hard for the customers to remember it.

    I have been using my phone via AP to pay for gas for three years now by going into the retailer to get the gas paid for. I haven’t had a problem.

  26. Brian, please remind all these security experts, NFC was broken the day after it was discovered. It’s a backdoor onto your phone. Even the encryption has been busted since day one, because it unencrypted on your phone…that’s not a “neat trick” but your phone has to display the unencrypted message, therefore it has to have a key, and can therefore be undone with any keyloggers.
    Secondly, never tie a card to a checking account.if you want to give away all your money, give it to me, I’m sure salvation army and the city mission could use a bigger donation. Especially since it’s starting to get cold now.
    Disable Bluetooth, or use a Bluetooth map, that has a hopping list, and use settings to warn you on Bluetooth. It’s another backdoor to you life savings, remember, most skimmers are using Bluetooth, if you BT is on, and set to update over BT, or wifi in the 5mghtz range, and listed as friendly, you may be hacked in addition to getting robbed.
    It’s not just the continuation of the gas pump thing, and remember, don’t trust the security tape.that was broken before the pumps had credit cards.

  27. Then when this issue is corrected, a fraudster has a simple fallback;

    http://www.csoonline.com/article/3146978/security/distributed-guessing-attack-lets-hackers-verify-visa-card-details.html#tk.rss_news

    P.S. Brian – I am seeing a lot of 502 – Bad gateway (shield) issues related to your site.

  28. Surely there must be a way to implement as an add-on or external to the pump rather than completely tearing out the whole thing.

  29. I have to call BS on the new card readers for pumps costing $10k.
    Stand alone Chip card readers sell retail $20 to $250. Even if it cost $1000 for one, and labor was $1000 an hour, it wouldn’t take 9 hours to replace a reader.
    Someone is Skimming (or slaughtering) the fuel stations for this upgrade, and you know it’s you and me paying for this.

    • Mahhn, in some cases the stations have to replace the entire pump, as the pump does not have a slot for an electronic payment module. That’s where the $10k estimate per pump comes from; ripping out an entire pump, concrete and all.

      • The whole article was about installing chip readers in exisiting pay at the pump setups. If the gas station didn’t have pay at the pump capabilities then there is no chance for ‘at the pump’ fraud. An ‘inexpensive chip’ reader can be used inside.

        Like the previous commenter said, there is no reason why the module with the card slot can’t be easily changed. I’ll bet that if someone crammed something into the slot, it would be changed out quickly.

        The stations can add the TV panel, why not a chip reader?

        • Gas Stations are able to put TVs on Pumps because they get discounted price on pumps with TVs because the percentage of content displayed on the TVs are advertisements. Ad networks help discount the pump price. So, if companies are able to pair EMV and TV Advertisements than you can bring down the total cost, however only two companies control the whole market, so they want to reap the profits from the EMV upgrades. On average a good pump costs $12k to $15k and about $2000 per pump for installation.

          In terms of Pumps costing north of $10k is a correct estimate, because newer pumps required secured access panel for the credit card reader and in older pumps when you open a pump credit card reader and rest of the pump components are exposed.

          Also, to open pump panels you can use a generic key from the Vendor and most stations fail to change the original locks on the pumps. People who work on gas pumps have the keys to open any type of pump.

          In Conclusion, we have to look at the bigger picture before start complaining and understand the ins and outs of the industry before making a baseless claims like pumps cannot cost $10k.