Why so many gas pumps still have less-secure credit card readers
If you use a credit or debit card to pay at the gas pump, keep an eye out for fraudulent charges: The card readers there tend to lack chip technology, and hackers are targeting them.
Most U.S. retailers switched to chip-card readers long ago to meet an October 2015 deadline. But gas stations got extra time to upgrade, due in part to the infrastructure at the pumps. Their deadline isn’t until October 2020.
Those old-style card readers are vulnerable, credit card company Visa said, citing a round of cyber attacks this year.
In one case, a gas station was compromised by malware from a phishing email that was opened by an employee. Using a type of software called a RAM scraper, the hackers harvested card data from the station’s payment terminals, according to a recent warning from Visa.
Another incident that also involved a RAM scraper seemed to specifically target data from transactions at a gas station’s fuel pumps, where customers swiped their cards’ magnetic stripe, Visa said. Data from payments made inside the station, using a machine with a chip reader, were not targeted.
Customers can avoid using their credit cards at the magnetic-stripe readers by paying cash or using a gas station payment app, consumer advocates said.
Visa suggested that gas stations stiffen up their network security and train employees on how to avoid phishing scams. It also said converting fuel-pump card readers to chip technology would help thwart these attacks.
With chip cards, no payment card data are transferred during a sale. Rather, a unique code is transmitted that, if stolen, is no more useful than an expired password.
Upgrading isn’t cheap. Adding a chip reader to a relatively new gas pump could cost $1,200, said Brian Riley, director of credit advisory services at Mercator Advisory Group, a payments industry analysis and consultancy firm.
But gas stations do have reasons to make the change. Starting in October, if a fraudulent charge is made at a gas station card reader that still lacks chip technology, the gas station — not the credit card company — will have the responsibility of covering the charge.
Cardholders should get their money back if they report fraud to the card issuer, but the gas station would then owe that money to the card issuer, said Ted Rossman, industry analyst at CreditCards.com, a review and analysis site.
If a gas station does not repay the charge, or if it generates a large number of chargebacks — repayments to a payer — then its contract with a card issuer could be revoked and it may no longer be able to accept that card, Riley said.
Gas stations that don’t upgrade in time might choose to have all customers pay at the cash register at a single chip-card reader, he said.
Chevron said Monday that it plans to have chip technology software available to its retailers by early 2020 and that it has already put software into production for half its sites. Phillips 66 said it already encrypts the data that come through its system and its stored data.