Operations

from Visa Business News July 15, 2010

Criminals have been targeting Automated Fuel Dispensers (AFDs) to obtain sensitive card account and Personal Identification Number (PIN) data. Visa first highlighted “skimming,” and provided mitigation strategies, in an August 2006 edition of the Visa Business Review. Many of these same vulnerabilities have persisted and continue to contribute to criminal compromises today. The mitigation strategies described below can significantly reduce risk for petroleum merchants and the broader payment system.

Risks Affecting Petroleum Merchants

Increasingly, petroleum merchants (service stations) have been targeted by sophisticated fraud rings seeking sensitive cardholder data. In many cases, the vulnerabilities being exploited can be addressed with simple mitigation strategies (e.g., by ensuring that AFD access keys are securely managed).

To help merchants reduce the threat of data compromise, Visa has identified the following common vulnerabilities and has provided corresponding mitigation strategies to help secure merchant payment systems:

• PINs and Card Skimming
  
  Merchants that fail to restrict AFD access to designated employees or technicians may be vulnerable to skimming attacks. These attacks occur when criminals and/or “collusive” employees access the interior of the pump and attach devices that capture or “skim” cardholder PIN and account information.
  
  Recent attacks on AFDs are increasingly sophisticated and have included the use of false keypad overlays and internal tapping devices. Older non-encrypting PIN pad (EPP) and non-triple-DES “legacy” AFDs are increasingly susceptible to these attacks.
  
  As of 1 January 2009, all newly deployed AFDs must have a Payment Card Industry (PCI)-approved EPP. Visa also recommends the use of a PCI-approved unattended payment terminal (UPT). For more information, please review the Visa General PED Frequently Asked Questions document, also available at www.visa.com/cisp under the “PIN Security” section.

• Handling of Brass Keys
  
  Certain AFD models share common pump keys, also known as “brass keys,” which allow service station employees and technicians to gain access to the interior of the pump. This ease-of-entry feature supports legitimate maintenance activity. However, criminals have exploited the use of “common” brass keys to access the AFD and attach devices that capture or skim cardholder information.

• Unattended Devices
  
  The unattended nature of an AFD creates an attractive target for fraudsters if proper controls are not implemented to protect against potential skimming attacks. Fraudsters can exploit the service station environment, which has minimal staff to monitor all pumps and improper physical access controls for AFDs. Without proper controls, criminals can potentially access and modify AFDs by distracting the attendant or blocking surveillance cameras with large vehicles.

• Point-of-Sale PIN-Entry Devices (POS PEDs)
  
  Merchants that accept PIN transactions at the register are cautioned that fraud rings have also attempted to pose as service technicians to introduce “tampered” POS PEDs into the merchant’s attended POS environment. Merchants should ensure that:
  
  
  • All POS PEDs are firmly affixed to the counter top and
  • Only approved technicians are permitted access to POS systems and devices

Recommended Mitigation Strategies

To minimize the risk of data compromise, merchants and agents should:

• Implement processes and controls to ensure that entry into AFDs is strictly limited to designated employees or technicians only.
• Conduct regular inspections of AFD interiors and exteriors to look for signs of tampering. Legitimate servicing of AFDs should also serve as an opportunity to perform device inspections.
• Develop detailed pictures and diagrams of the normal interior of all supported AFDs to support ongoing employee training and inspection efforts.
• Ensure that AFD access keys are never shared among large populations of devices and that all brass keys are securely managed. For both keyed and non-keyed units, consider implementing site-specific AFD locks. Review vendor solutions that will alert merchants when pumps are opened.
• Verify that AFD and attended POS PED access is restricted to designated employees or service technicians, as appropriate. Authorized and validated repair technicians should be escorted and monitored.
• Make obvious use of video surveillance and post signs informing patrons of its use at the station.
• Ensure that merchants only purchase EPPs that are listed on the Payment Card Industry Security Standards Council (PCI SSC) PIN Transaction Security Devices List.

Visa strongly recommends that merchants use heightened vigilance and maintain a secure service station environment at all times, especially around AFDs. The PCI SSC has published a skimming prevention best practices document entitled, PCI SSC Information Supplement: Skimming Prevention—Best Practices for Merchants.

Merchants should educate their employees on the potential for skimming compromise and ensure that staff members know what actions to take if an AFD has noticeable signs of device tampering.

If AFD tampering is suspected, merchants should immediately contact their merchant bank, Visa, and law enforcement.