Skip to content

ACI Blog

Move Over EMV – Meet the Real Protectors of Fuel Pump Payments

In fact, there’s much more than EMV for fuel merchants to consider when it comes to blocking fraudsters. For instance, EMV does not offer complete protection against all forms of payment fraud, or worse, security breaches. Let’s take a look at all the elements that fuel merchants need to consider to better protect their business.

EMV is vital – but it’s not a shield against breaches

EMV is an important development in fraud prevention because it makes it much harder for fraudsters to use stolen or counterfeit cards. Instead of relying on the magnetic stripe of a card, EMV utilizes a chip that makes cards nearly impossible to replicate, preventing replay attacks, where a valid transaction is repeatedly put through by a fraudster. Though keep in mind, since there is a mag stripe, that card data can be collected by a skimmer and used by fraudsters elsewhere.

What EMV doesn’t do

EMV-compliant payments still require the merchant to send card numbers to the issuing bank to process the payment. EMV doesn’t mask or hide card numbers and expiration dates, and that data can still be intercepted by fraudsters and used for eCommerce payments, or with manual card entry (i.e in a call center).

Cardholder data must be protected, and since EMV doesn’t encrypt any of the data that is used for transaction processing, it is susceptible to being illegally obtained by “sniffing” and sold on the dark web.
EMV also doesn’t protect against other types of fraud, such as identity theft and account takeover, both of which are prevalent and on the rise.

Fraud and data breaches are big business – they also make big news and cost merchants dearly. In fact, according to Risk Based Security, in 2019 there were 7,098 breaches exposing 15.1 billion records. Since retailers were the third worst-hit sector, what else should fuel merchants consider in addition to EMV?

P2PE – protecting payments data at the pump and POS

It’s important to secure payment data to deter criminals, protect reputations and ensure no useable personal data can be stolen. The first step in doing this is to protect the payment data as it travels from the terminal to the processor.

Point-to-Point encryption (P2PE) encrypts sensitive payment information at the point of sale, whether that is a store terminal or a fuel pump, and only decrypts that data once it reaches a safe harbor at the processor end. The encryption happens on the hardware itself, which is tamper-resistant and uses a different encryption key for every transaction. If a fraudster were to intercept the sensitive data as it is transmitted between the pump/terminal and the processor, they would not be able to read the data. This means that no useable information can be stolen while the transaction is in flight; the fraudster will only see the permitted details and undiscernible sequences replacing the payment data, rendering it useless to them.

Not only does P2PE protect the cardholder from their data being stolen when they use their card at the pump, it also protects the merchant from the reputational and customer relationship impact of compromised data.

While fuel merchants are undertaking this major effort to implement EMV at the pump, it makes sense to use that opportunity to implement P2PE at the same time. Covering both together not only saves the additional time and cost of two separate implementations, but it means fuel merchants can significantly enhance their payments security in one window.

P2PE and tokenization – the data security duo

P2PE isn’t the only kind of encryption that can help secure payment data and protect fuel merchants from becoming the next data breach headline. Hackers don’t just target data as it travels from payment terminal to processor; in fact, many of the big data breaches in recent years have stemmed from stealing data from merchants’ back office systems.

This is where tokenization provides the perfect teammate to P2PE, because it replaces the payment data with a representative “token” when it is “at rest” in storage. Tokenization replaces the Primary Account Number (in most cases, a card number) with a unique value or numeric sequence that renders transaction data useless to thieves, because they are unable to reverse the process to uncover the original number. The token can retain some of the original data, so it is still useful to the database owner. For instance, it could retain the first 6 and the last 4 digits, so the owner would understand the issuer and be able to present the last 4 digits in a statement.

Tokenization can be used across channels, including for “card not present” (CNP) payments. This is a significant advantage for fuel merchants that are looking to implement mobile payment apps – a growing trend in the sector as gas station operators seek to enable slicker, digitally-enabled customer journeys.

The fight against fraud continues…

A combination of these techniques is essential for fuel and convenience stores to protect themselves from the costs and reputational impact of payment fraud and data breaches.

A holistic approach to fraud prevention is still essential to ensure that fuel merchants can identify and block as much attempted fraud as possible, while supporting a positive experience for genuine customers.

For further insights on the issues of EMV and P2PE for fuel merchants, listen to our recent podcast with PaymentsJournal and Mercator, and visit our fuel and convenience resource center.

Product Manager – Merchant Payments

Dennis has more than two decades of experience in the merchant payments space. He leads global innovative product initiatives within ACI, such as tokenization, real-time payments, and many more that support merchants in their digital payments transformation journeys. Before ACI, he worked as a Principal Architect for S1, which ACI later acquired. Dennis is passionate about technology, payments and sports.