News Stay informed about the latest enterprise technology news and product updates.

Gas stations get three extra years before EMV liability shift

Gas stations get an extra three years to support new chip card payments, as the EMV liability shift date for automated fuel dispensers is pushed to 2020.

The uptick in EMV adoption appears to have run out of gas.

Visa and MasterCard extended the deadline for gas retailers to upgrade automated fuel dispenser systems to handle fraud-resistant Europay, MasterCard and Visa (EMV) payment cards. Originally set for Oct. 1, 2017, the new deadline gives gas stations an additional three years to beat the EMV liability shift that begins on Oct. 1, 2020.

While U.S. consumers are increasingly likely to have the EMV chip-equipped cards -- and to have used the new cards at retail stores -- fuel merchants, especially those that rely on automated fuel dispensers (AFDs), are still lagging in compliance with the new standards.

"We believe the change in the [AFD] liability shift date was the right thing to do based on extensive discussions with fuel merchants, issuers, acquirers and other stakeholders," Ajay Bhalla , president of enterprise risk and security at New York-based MasterCard, told SearchSecurity by email. "This dialogue identified issues unique to this segment, including significant regulatory and implementation challenges."

Adoption of EMV in the U.S. trailed the rest of the world. But EMVCo, the standards body for EMV, reported that, globally, EMV adoption is up over the past year. From July 2015 to June 2016, 42.4% of global card-present transactions were EMV-compliant, up from 33% from the year before. U.S. transactions were also up, to 7.2% in the most recent period, from only 0.26% the year before.

After the EMV liability shift date, the cost of fraud is assigned to whichever party -- merchant or card issuer -- has the lowest level of EMV adoption. Ordinarily, the fraud risk is assumed by the card issuer, but the liability shift is intended as an economic incentive to prod merchants to upgrade their systems. And gas stations have, so far, been very slow to upgrade.

"Retail petroleum has unique characteristics that other retail markets do not have," Randy Vanderhoof, director of the U.S. Payments Forum, told SearchSecurity. The biggest differences, he said, are payment terminals for fuel pumps are more complicated than for typical retail merchant point-of-sale (POS) terminals, and there are so many of them.

"The payments readers used at a fuel pump are much more complicated to install than an in-store reader. It takes a specially trained and certified technician to install the necessary upgrades at the pumps. There are 1.4 million pumps in the U.S., and far too few technicians," Vanderhoof said.

"The fuel segment has its own unique challenges, which we recognized when we first set the chip activation date for automated fuel dispensers/pumps two years after regular in-store locations," Visa said in a statement announcing the change in EMV liability shift for AFDs.

"We knew that the AFD segment would need more time to upgrade to chip because of the complicated infrastructure and specialized technology required for fuel pumps. For instance, in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete. Furthermore, five years after announcing our liability shift, there are still issues with a sufficient supply of regulatory-compliant EMV hardware and software to enable most upgrades by 2017."

But there are reasons AFDs can be at greater risk for fraud. "They are unattended terminals and, therefore, can generally be subject to the insertion of payment card data skimmers more easily than other attended POS terminals," Avivah Litan, vice president and distinguished analyst at Gartner, told SearchSecurity by email. "Also, the same physical key can typically open many AFDs so that skimmers can be inserted, and gas station staff -- who have the physical key -- can be recruited in organized criminal skimming efforts, as has been the case in the past."

With nearly four years before the EMV liability shift for AFDs, both Visa and MasterCard have, in the meantime, introduced fraud prevention tools to reduce losses. The Visa Transaction Advisor (VTA) has "been particularly successful in driving fraud lower at fuel dispensers," according to Visa.

More than 50,000 fuel stations in the U.S. are currently using VTA, and the service is priced "to encourage wide adoption and to deliver compelling return for the merchant in terms of fraud savings," a Visa spokesperson told SearchSecurity by email. Although the service is offered to individual merchants through payment service providers for Visa transactions only, VISA said it is effective at reducing fraud.

"In its first year, Visa Transaction Advisor helped to reduce fraud by more than half -- a 54% decline in counterfeit fraud rates and a 51% decline in lost and stolen fraud chargeback rates," the Visa spokesperson said.

MasterCard offers its own tool to reduce fraud, called Decision Intelligence. Individuals and merchants get the benefit of the tool, but only if their payment-card-issuing banks purchase the service from MasterCard.

"During initial trials, Decision Intelligence was detecting as much as 40% more fraud, with up to a 50% reduction in false positives as market-leading fraud detection systems," Bhalla said.

"In general, fraud on plastic card transactions is supposed to accrue to the card issuer [or] bank, which is why merchants have not invested all that much in fraud detection on plastic card transactions, unless they get hit with so much -- as gas stations do -- that if they don't prevent much of it, their fines and fees from the credit card banks and brands increase," Litan said.

"Also, with the EMV liability shift, the fraud accrues to the party (merchant or card issuer) with the lowest security relative to EMV -- i.e., if the card issuer has issued a chip card, and if the merchant's terminals can accept EMV cards," Litan added. Because AFD merchants have extra time before the EMV liability shift, "the liability situation hasn't changed."

Next Steps

Find out more about why merchants have been slow to adopt EMV technology

Learn about how researchers discovered security flaws in EMV point-of-sale systems

Read about EMV liability shift deadlines

Dig Deeper on Data privacy issues and compliance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has the EMV liability shift affected your organization's operations?
Cancel
I am an independent gas station owner and all of my outside pumps and inside register are all EMV compliant yet I'm still getting chargebacks from the issuer. When a customer pumps outside, they must enter their zip code and it doesn't print out a receipt for me to keep. Even with that, my merchant card services says I'm still liable for the chargeback even though I've done all I could to prevent fraud. Seems unfair to me. Any other merchants have upgraded and are still getting chargebacks that they can't dispute back?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close