Combating Pay-At-The-Pump SkimmingInspection, Collaboration Best Responses to POS Attacks
Taylor, a security and compliance expert for the National Association of Convenience Stores, sees the role of mitigating fraud as being threefold, with merchants, manufacturers and NACS all playing parts in solving the problem of fraudsters targeting unattended self-service terminals.
"Pay-at-the-pump skimming has seen an uptick. Most of our customers are habitual loyal customers, and to have a customer's card information breached is really a breach of that customer-merchant confidentiality and trust," says Taylor in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Taylor offers the following three pieces of advice to merchants at risk of card-skimming attacks:
- Change the pay-at-the-pump dispenser locks: "The older dispensers that came out all had the same lock. At one point, I had three keys in my desk that could have opened every dispenser in the United States," Taylor says;
- Place security tape over all critical joints and openings of the dispenser;
- Inspect dispensers daily: "If that security tape has been tampered with or broken, you have to shut down that dispenser and restrict access," he says.
Manufacturers are aiding the effort by building enclosures with unique access keys and teaming with NACS to issue guides that help merchants secure dispensers. NACS also has created a 20-minute video that explains how to inspect dispensers. "We owe it to our customers to do this," Taylor says.
During this first part of a two-part interview, Taylor discusses:
- How merchants are controlling access to pay-at-the-pump terminals, to limit exposure to skimming;
- Steps NACS is taking to educated merchants about the importance of regularly inspecting gas terminals for tampering;
- Why payments security and the need to control cost don't always jibe.
Be sure to check back for Part 2, when Taylor discusses consequences of a U.S. move to EMV, how financial institutions and merchants can collaborate to fight skimming trends, and steps vendors and organizations like the PCI Security Standards Council can take to assist merchants in the fight for stronger card security.
Taylor has worked in the convenience-store industry since 1963, when his family opened its first of 87 convenience stores. Taylor later founded a fuel-retailing business and a store-based consumer banking/debit system, the first service of is kind to be offered by a retailer. Since selling his retail interests, Taylor has been involved on a variety of projects, including recapitalization of a public alternative fuels company, heading global product management for several of the world's largest petroleum equipment and retail systems suppliers, and serving as vice president of research and technology for NACS.
TRACY KITTEN: Skimming at pay-at-the-pump gas terminals has garnered a great deal of media attention over the last 18-24 months. What can you tell us about pay-at-the-pump skimming and the impact it's having on the petrol and c-store markets?
GRAY TAYLOR: It's been an interesting phenomenon and I think it really rises as a result of large firms and large retailers locking down their systems and reducing their risk of a data breach from the back-door sources like the Internet and other compromises that were so famous a couple of years ago. I think what's happened is that, with those security measures going into place, the retail community is forcing these gangs to move downstream into more high-contact places, events where they can collect card data. What they're charging, of course, is the unattended terminal. The two most popular unattended terminals that you might imagine are the gas pumps and an ATM. But of course, there are unattended terminals for transportation, transit and so forth.
I think what's happening is these gangs are saying, "Look, we've got this sales pipeline in place where valid card numbers can be bought and we can sell them over the Internet. Now how do we accumulate all of these card numbers?" By targeting these gasoline pumps or the ATMs, they're finding at least some stream or trickle of card numbers that they can then put on the Internet to sell. They're highly organized and they're centralized from the central European nation and they have confederates who will go and roam what I call the interstate corridors and will target a metropolitan area at any given time. We certainly saw that in Las Vegas about 18 months ago. We saw that in Salt Lake City a little over a year ago. Most recently we saw an event pop up in Jacksonville, Fla., where the gangs would come in and they would open up fuel dispensers and they would put skimming devices on there. This has caused a great deal of constant issue within the 145,000 convenience stores that are in market, because if you think about a convenience store, most of our customers are habitual loyal customers, and to have a customer's card information breached is really a breach of that customer-merchant confidentiality and trust.
Steps to Combat Skimming Trends
KITTEN: What steps are merchants taking generally to help combat some of these skimming trends?
TAYLOR: The interesting thing is when you look at these skimmers that are getting pulled out of pumps and ATMs, they're highly ingenious and so our first attempt was to identify the skimming devices. That's kind of like saying, "identify cell phones." I mean, you don't know what you're looking at, so what we've really done as merchants is we've moved back and said, "Look, the only thing I can do is control access and know when unauthorized access has been made to the fuel pumps." Unlike ATMs where they tend to be overlays, it makes it very difficult for consumers to see the difference. What we're instructing and what the merchants are doing is they're changing locks on their dispensers. The older dispensers that came out all had the same lock. At one point, I had three keys in my desk that could have opened every dispenser in the United States.
The first thing is you change the lock in your dispenser. The second thing is you put security tape over all of the critical joints and the openings of your dispenser. And you have to go and you have to inspect daily. If that security tape has been tampered with or broken, you have to shut down that dispenser, restrict access and notice when somebody has gone in and had access to that device.
The Role of Manufacturers
KITTEN: I think it's interesting that you noted universal keys. That was something that we saw plaguing the ATM industry about a decade ago. I would like to ask you, what role do manufacturers of enclosures for self-service gas pumps play when it comes to fighting skimming?
TAYLOR: I've worked at two gas-pump manufacturers in my history and that debate has always come up. The first thing is that way back when, before skimming was really prevalent, it wasn't a big issue. As retailers were looking to reduce the cost of the capital goods and to keep the usage and maintenance simple, they said, "Look, just give me the same piece so I can open up that pump and I can change the paper and do those sorts of things." Demand from the retailer community back in the 90s was, "I just want a universal key." Now mind you, gasoline pumps tend to have a 15-year usable life so there are a lot of older gas pumps out there that still have the universal key. That was number one.
Number two was we also got some flack from the fire marshal in some communities where they like the idea of having the universal key because they can get into a fuel dispenser. We've had some merchants who were told they're not allowed to re-key the dispenser. That being said, re-keying your dispenser is about a $250-300 exercise per site and we're finding that our guys are doing that in droves now. It's one of the simplest ways to keep people out of your dispenser.
KITTEN: You noted that card skimming is a problem, not just at pay-at-the-pump terminals but at ATMs as well as points of sale. How do you see these trends affecting merchants when it comes to ATMs, points of sale and pay-at-the-pump?
TAYLOR: I think the bottom line is, if you own and/or operate any type of unattended terminal device that's taking your customer's card information, especially if it's saving somebody's PIN information, you owe your customers a daily inspection of that device to make sure that an overlay on your ATM has not been placed, or that somebody hasn't accessed the electronic scanner of your dispenser. There's nothing that can replace looking at those devices once a day and banks have implemented that same procedure. They now have their people who are going in and re-cashing ATMs trained to look over the ATMs very carefully to make sure there are no pinhole cameras and skimmers that have been attached.
The Role of NACSKITTEN: How is NACS helping merchants address some of these growing skimming trends?
TAYLOR: What we did first-of-all was we didn't publicize this at a national front. Most of the skimming events get publicized in local newspapers, and trust me, I've also been a merchant and the last thing you want to see is your store and a picture under a byline that says a thousand customer cards were skimmed at this store. What we did is we took all of those local stories and we brought them to national attention. We reported on ourselves. The whole idea was to say, "Look, you might be wiping your brow because you didn't get skimmed because you're up in Detroit, Mich. and the skim was out in Las Vegas. But make no mistake about it, if you have an interstate running near your store, they're going to come over and they're going to attempt to skim your dispensers." That was the first thing: make people aware that just because you haven't been skimmed doesn't mean you're not going to be.
Then the next thing was to educate the industry on not being an expert, but just being vigilant and by changing the lock, putting that security tape on there. One of the things that we did was the Convenience Alliance for Technology Standards that came out with two guides. One was on how to secure your dispensers and we actually had a few major dispenser companies, Dresser Wayne (GE Wayne now) and Gilbarco Veeder-Root, help us with this guide. It helps us to lock down their dispensers. Then, the second guide was how to inspect your fuel island for the possibility and presence of skimmers and that was spearheaded by Synex, a large company out in Mid-West. We released those two written documents.
The last thing that we did is we came up with a simple, 20-minute video and Jeff Miller, our chairman of NACS, narrated the video. This is available for download. We're going to show you how to secure and have an inspection of your dispensers, and you owe it to your customers to do it. That has been our mantra going forward: We owe it to our customers to do this and here are the simple steps you can take with the dispensers and not be a victim.
Mag-Stripe: Achilles' Heel of PaymentsKITTEN: Then what about as we move beyond skimming? Are there other parts of the payments chain where you see merchants struggling from a security compliance perspective? I'm asking about some of the connectivity in perhaps wireless issues that you mentioned earlier.
TAYLOR: My feeling, and a lot of merchants share this feeling, is that we're spending billions of dollars every year, the merchants, trying to fix a broken system. It's kind of like owning a fixer-upper house that just won't get fixed up. At some point, we have to make a choice that this can't get fixed and it needs to be revamped, and I think we're getting to that stage. The Achilles' Heel to the payments system right now is the mag-stripe. The mag-stripe, because it is there on the card and because you can now use that track 2 data to buy things online, now we have to secure this entire data system around it. Over the last 20 years, as the Internet has grown in its uses at retail, we may have a wonderfully connected system that now has to be totally disconnected because we have card data going over them and because the card data doesn't necessarily need to have an electronic signature. It's a broken system.
When you look at a level for a merchant, you look at a guy who may own one or two restaurants or convenience stores, you look at the FAQ for PCI, it's kind of like running 10/40 long form without the benefit of a calculator. These guys are throwing up their hands and saying, "I don't understand what they want me to do, let alone all of the ongoing things." I mean, if you had wireless at your location or even if you don't, technically speaking you have to go scan for rogue wireless devices at your store. My guys didn't know how to scan for rogue devices, so they have to hire professionals. And our estimate is that convenience stores are spending about $9,200 a year to protect the mag-stripe unauthenticated system that we have in place today, which is just antiquated by any other foreign country's standards.
This is the end of the first part of a two-part interview with Gray Taylor of NACS. Please be sure to check back for part 2 when Gray discusses consequences of a U.S. move to EMV, how financial institutions as card issuers and merchants can collaborate to fight skimming trends and steps vendors and organizations like the PCI Security Standards Council can take to assist merchants in the fight for stronger card security.