Gas stations and convenience stores won’t be getting an extension of the upcoming October 2020 fuel-pump EMV liability shifts, according to a merchant trade group. Meanwhile, Visa is warning of malware-based attacks against fuel retailers that invade their point-of-sale systems.
The major networks have set next October for pumps to be able to read chip cards and not just magnetic-stripe cards, otherwise the station will be financially liable for any resulting transaction fraud. The Merchant Advisory Group, an association of retailers and other merchants concerned with payment issues, recently requested Visa and Mastercard postpone the shifts for another two years. The original liability shift had been set for October 2017, but the networks delayed it for three years citing pleas from fuel retailers about the costs and difficulties of upgrading pumps.
Even with the delay, many gas stations are still having problems, prompting the MAG to ask for a postponement. But the networks said no, according to a MAG spokesperson in Washington, D.C.
“MAG requested a delay due to the lack of industry readiness,” the spokesperson says by email. “Networks denied the request, and MAG encourages industry stakeholders to prepare for October 2020 by having sufficient capacity of certified technicians, adequate software availability, and streamlined certification processes to ensure that fuel merchants are able to transition to EMV and avoid negative financial implications.”
The percentage of fuel-pumps expected to be EMV-ready by October was not immediately available.
Meanwhile, though most of the discussion about payment card fraud at gas stations involves skimmers that capture magnetic-stripe card data when the card is inserted into a fuel pump’s card reader, Visa this month issued a security alert about three fraud attacks, two of which were aimed at the point-of-sale systems of North American “fuel-dispenser merchants,” Visa said. The attacks were investigated by Visa’s new Payment Fraud Disruption unit, which the network announced in August.
In the first, an employee opened a phishing email sent to the targeted merchant containing a link, which when clicked installed a remote-access Trojan that gave the senders access to the merchant’s corporate network. From there, the fraudsters obtained and used credentials “to move laterally into the POS environment,” Visa’s report says. Then they deployed a random-access-memory (RAM) scraper “to harvest payment card data.”
The second attack involved a different fuel retailer, and the report says it is unknown how fraudsters initially gained entry into the merchant’s computer system. Once in, however, they moved within the POS environment and installed a RAM scraper to steal card data.
“The targeted merchant accepted both chip transactions at the in-store terminals and magnetic-stripe transactions at fuel pumps, and the malware injected into the POS environment appears to have targeted the mag-stripe/track data specifically,” the report says. “Therefore, the payment cards used at the non-chip fuel pumps were at risk in the POS environment.” U.S. EMV chip cards nearly always have a back-up mag stripe.
Visa said it believes this second attack was the work of a cybercrime group known as FIN8. Active since at least 2016, FIN8”often targets the POS environments of retail, restaurant, and hospitality merchants to harvest payment account data,” the report says.
Visa believes FIN8 also was behind the third attack mentioned in the report, which involved a hospitality merchant. The attackers used a type of malware previously associated with FIN8, but also another variant of banking malware that hadn’t been associated with the group earlier.
“While the malware used in this attack was not identified in the attacks against the fuel-dispenser merchants, it is possible FIN8 will use this malware in future operations targeting fuel-dispenser merchants,” the report says.