As the saying goes, “It’s not paranoia if they’re really out to get you.” By those standards, it’s no wonder issuers and gas station owners have their heads on a swivel knowing that somewhere gas pump skimmers are stealing money and, along with it, cardholder information and trust.
During a typical week in 2017, Florida investigators found 12 gas pump skimmers. The statewide total of 613 for the year was a record breaker. Texas also has seen a noticeable increase, with gas stations located on or close to major highways serving as prime targets. The problem is serious enough that executives with a number of financial institutions tell us they no longer pay at the pump, opting to use the chip card terminal inside instead.
According to Colby Gatlin and Dennis Chen with PULSE Fraud Operations, that level of caution is justified. They serve on the team that leverages the DebitProtect® fraud mitigation service to offer a unique network view across the payments ecosystem. Currently, DebitProtect processes an average daily volume of 8 to 10 million transactions for 1,300 issuers. According to PULSE Fraud Operations, DebitProtect has prevented more than $44 million in attempted fraud over the past three years.
During the recent webinar, Fraud Trends Impacting Debit, Gatlin and Chen attributed the increase in gas pump skimming in part to the delay in the chip liability shift for automated fuel dispensers, which is now slated to take effect in October 2020.
The Weak Link
As one of the last bastions of mag stripe terminals, gas pumps are likely the weak link in point-of-sale payments. Adding to their vulnerability is the fact that they are often located beyond the view of gas station employees, making the quick setup and removal of skimmers relatively easy.
“Gas pump skimmers have become almost undetectable, so paying for gas inside where you can use a chip terminal is a great precaution – especially if the gas station is located close to a major highway,” said Gatlin. “Before paying at the pump, check your smartphone for suspicious Bluetooth signals, go to the pump closest to the physical store, inspect the card reader for evidence of tampering and give it a good tug before inserting your debit card.”
That level of vigilance may seem like overkill, but Gatlin and Chen predict we are just scratching the surface of the threat. They believe gas pump skimming incidents are likely to increase until well after the liability shift in 2020, with fraudsters growing ever more sophisticated along the way.
Five Actions to Help Minimize Fraud
When issuers discover a skimming incident, Gatlin and Chen recommend the following five actions to help minimize fraud:
- Contact local law enforcement to investigate.
- Determine the window of exposure.
- As deemed necessary, start the reissue process. (For best practices for how to respond when cards are believed to be compromised, see the story, Mitigate Risk and Minimize Cardholder Impact.
- Lower PIN limits on all compromised cards.
- Deploy card group rules to target fraud behavior on a specific list of cards.
More tips for fighting fraud are available on Payments & You.
Card Group Rules
For most people, a gasoline purchase is a necessity. If a debit cardholder who needs gas has a card declined, they’ll either choose a different form of payment or become very upset. Both of those options are threats to the issuer, which is why developing targeted card group rules is essential.
“False positives are inevitable in fraud mitigation, but we want to limit the potential for cardholder inconvenience while also keeping fraud losses within the financial institution’s risk tolerance,” said Chen. “It’s a balancing act that requires the financial institution and fraud-data analysts to work closely together.”
This level of collaboration is part of the DNA of DebitProtect Authorization Blocking. Its Custom Fraud Alerts and Authorization Blocking services enable issuers to monitor fraud and suspicious activity in real time. In addition, customers are provided access to customer service representatives and fraud data analysts with deep experience in payments fraud who are available for consultation and rule development.
“First we need to identify at-risk cards that may have been compromised, then work together to develop a card group rule the issuer finds acceptable,” said Gatlin. “Through careful analysis, we can develop rules that target specific fraud behavior and can be more aggressive than rules we establish for the entire card base.”
An example might be blocking transactions of a certain amount attempted at a gas pump using a compromised card if the card had previously been used at a gas pump within a particular timeframe.
“It’s certainly possible that a cardholder could fill up two cars within an hour of each other, and that’s where the data is invaluable,” said Chen. “If that behavior is very rare, the risk of ruffling feathers among cardholders is relatively low. This would inform the decision whether card group rules should block such transactions.”
Finally, Gatlin and Chen offered a friendly reminder that issuers should consider making it a standard practice to share information about any incidents of skimming with other financial institutions in the area. Networking with peers and sharing information can be a great fraud fighting tool and a way to build relationships with other financial institutions.