EMV Conversion Is Costly, But Post-EMV Fraud Could Cost More
Gas station and convenience store owners have until October 2020 to make their pay-at-the-pump card readers EMV compliant, and they’ve had several years to plan and prepare. Still, some experts say many fuel retailers may miss the EMV deadline.
That’s risky because card skimming fraud is rampant at gas stations across the United States, exposing consumer payment data to thieves, hurting fuel retailers’ reputations, and costing card issuers an estimated $400 million per year.
After the EMV liability shift in 2020, gas stations and convenience stores that haven’t made the switch will bear the cost of card fraud at their pumps. The situation is challenging for many reasons, but alternative solutions may help.
Why EMV Readers Aren't Already At The Pump
Fuel pumps were supposed to be EMV compliant by 2017, but card companies pushed the deadline back by three years because the industry faces more complex challenges than standard retailers.
Fuel pumps dispense a heavily regulated product in addition to accepting card payments, and the layout of a gas station is very different from the typical retail store, with payment-data cables often buried under concrete. That’s why industry experts say it will cost as much as $6 billion to convert card readers at the roughly 150,000 fuel stations in the U.S.
Although stations often carry a fuel company’s brand, most gas stations and convenience stores are independently owned small businesses without the resources of a major petroleum producer. The cost for a single gas station to upgrade its fuel pump card readers to EMV can be $25,000 or more — assuming the station owner can find one of the comparatively few trained installers available to do the work.
EMV upgrades can be far more disruptive for gas stations than for the average retailer. In its EMV at the Pump notice, Visa noted that “in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete.”
Data cables, wireless routers and servers may also need replacement or upgrades. And because a fuel pump is an investment that can last more than a decade, owners want to get the most value from their equipment, so the timing of new purchases is a consideration, too.
For small fuel retailers looking at the steep cost of upgrades, it might be tempting to forego EMV or ask customers to pay inside, where most stores have EMV-compliant point-of-sale (POS) terminals. In the long run, though, those approaches will almost certainly backfire.
More than 70 percent of U.S. customers pay at the pump, and they’re unlikely to change that behavior. An even bigger issue is that the cost of fraud liability after the EMV shift may be far higher than the cost of EMV conversion, because card skimming is so common.
Why Card Skimming is Such A Big Problem At The Pump
Card skimming — fraud enabled by small scanning devices that thieves insert into or over the card reader or inside the body of the fuel pump to steal magnetic stripe data — is such a problem that the U.S. Secret Service is involved in the fight to thwart skimmers. As of November 2018, the federal agency was seizing as many as 30 skimmers a week, each holding stolen data from an average of 80 cards.
Why is the problem so severe? It’s mostly because other types of skimming fraud are harder to commit. Retail POS terminals have largely converted to chip-card readers, and those that still swipe magnetic-stripe cards are in areas with cameras, employees and customers nearby, so adding skimming hardware undetected is harder to do. ATM anti-skimming technology is also improving rapidly.
That leaves fuel pumps as the easiest available target.
As with other types of fraud, skimmers are increasingly sophisticated. Some thieves now use Bluetooth and wireless network signals to retrieve skimmer data without having to return to the scene. They’re also creating ever-smaller skimming devices that can be nearly impossible to detect.
There’s no reason to believe these organized criminals will simply stop skimming in October 2020, especially because many fuel pumps will miss the deadline and remain vulnerable.
Instead, the financial burden of their crimes will shift to gas station owners who are still using non-EMV compliant POS terminals at their pumps. Failing to convert may create a vicious cycle: As thieves focus their skimming activities on pumps that remain vulnerable, targeted merchants will get more bad publicity and lose customers.
Solutions For Gas Station Owners
Industry analysts have been exploring alternatives that may help small fuel retailers limit their fraud liability exposure even if they can’t afford to upgrade all their pumps at once.
One option is to upgrade at least one pump and disable payment at the others. This reduces the availability of pay-at-the-pump, but it avoids forcing everyone to pay inside the store and offers liability protection at the pump.
Some retailers may choose to replace card payments at the pump with mobile payments. Fuel sellers who are considering switching from card to mobile pay-at-the-pump should thoroughly research the costs not only of app implementation and mobile payment processing, but also of the fraud detection tools that mobile payments require. That’s because the mobile channel is a growth area for payment fraud.
An emerging option is EMV-as-a-service. One startup developed a plug-in module and software to securely bring fuel pumps into EMV compliance for a monthly fee plus payment processing fees. This type of solution may help small fuel retailers who can’t afford to invest in new hardware, but need to compete with nearby stations that can.
There’s still time for convenience store and gas station owners to explore their options for complying with EMV and reducing their fraud liability. However, the window is starting to close. For fuel retailers who want to stay competitive and protect their revenue, it’s time to build and implement an EMV plan.