Security can be difficult to improve at gas stations because payment hardware is built into the pumps, making it costly and difficult to upgrade. First Data and VeriFone are teaming up to overcome this challenge.
"There's a huge amount of money involved with gas station transactions," says James Hervey, a senior product marketing manager at VeriFone, who says most gas station payments are currently made by swiping a card at a gas pump, which has a longer shelf life that other types of payment devices. "The turnover for gas pump terminals is about ten to 12 years; these devices tend to stay in operation for a longer time than a PIN pad or a payment terminal. The technology can be dated, which makes it a challenge when dealing with security and other updates at gas pumps."
VeriFone and First Data have launched a customized version of First Data's TransArmor transaction security product that uses technology from RSA and works with VeriFone terminals such as Secure PumpPay and MX devices. The technology is designed to retrofit older gas pumps.
First Data and VeriFone install a full payment device on older terminals, including a PIN pad, card reader, screen and printer. "The gas station owner essentially replaces the hardware and it works with the gas pump just like the existing equipment did. It does the payment upgrade without having to replace the entire gas pump," Hervey says.
The technology can handle encryption for the different types of payment cards that are used for fuel transactions.
"There are a lot of cards that you don't see in other verticals," Hervey says, adding that fleet cards and traditional consumer cards have different encryption needs and also record different information at the point of sale.
"The pump has to know that it is receiving a fleet card or another type of card, and that is has to be encrypted in a certain way," Hervey says. "These older terminals don't have the ability to do that."
Gas pumps are frequent target of card skimming attacks, since they are unattended, easily accessible to the public and have a lot of traffic.
"We've seen a move from criminals that are going from data stores to data in flight," says Paul Kleinschnitz, senior vice president of cyber security solutions for First Data. "Because gas stations have so much transaction volume the pumps are susceptible to breaches."
The technology can also aid in EMV migration by running advertisements on built-in screens to help defray the cost of the terminal upgrade needed to accept EMV-chip cards, Hervey says. "EMV will be a significant expense that will entail just about every gas pump out there. Most of the pumps don't have smart card readers and most are magnetic stripe readers," Hervey says.
The card networks set an October 2017 deadline for gas stations to accept EMV-chip cards to avoid a shift in fraud liability. Other merchant categories have a closer deadline of October 2015.
"Each pump has a terminal that needs to be retro-fitted so it's costly to change, which is why petrol has a longer time to change our their terminals for EMV," says Thad Peterson, a senior analyst at Aite Group. "Further, like health care, petrol and convenience platforms are managed by their own set of technology providers that focus on that segment, so a good deal of customization is required to enable an interface."
Some gas station chains have balked at migrating to EMV-chip cards, preferring to rely on their existing anti-fraud methods such as requiring a ZIP code before accepting a payment.
Despite the pushback, Hervey says the pressure to migrate will be heavy.
"You hear a lot of people discuss not converting to EMV, but at the end of day consumers will migrate to that method and merchants will have to enable them to pay that way," Hervey says.