Yes, the October 2020 EMV Deadline for Fuel Pumps is a Definite

How ControlScan is helping fuel retailers further reduce their cyber risk

January 30, 2020 • Published by

EDITOR'S NOTE, MAY 4, 2020: Visa has announced that it will extend the EMV deadline by 6 months, to April 2021. While that is great news for the fuel retailing industry, we continue to recommend the guidance in this post as a means of preparation.

The EMV deadline is now in its 11th hour.

It’s 2020, and that means the deadline for the Visa and Mastercard EMV liability shift for the petroleum market is now imminent. But before you say, “Well, I’ve heard that one before,” and go about your business as a fuel retailer, it’s important to understand that this deadline appears to be sticking.

For the uninitiated, the EMV liability shift was first announced in 2012 with an effective date of October 2015. Since that time there has been enormous progress in getting EMV card readers installed where cards are accepted, but the petroleum space presents a unique set of challenges when it comes to upgrading to EMV.

Knowing this, Visa and Mastercard extended the deadline for EMV at the pump to October 2017. As they watched much of the industry scramble to get their sites upgraded battling a scarcity of qualified technicians and a shortage of required hardware and software, they extended it again to October 2020. However, the two credit card companies recently declined to extend the deadline a third time and plan to hold the line on the October 2020 date.

The EMV deadline was and still is a big deal because once in effect for fuel retailers, merchants using card readers that rely on the magnetic stripe (rather than the chip embedded in a credit card) to transmit payment transactions will bear the financial burden of chargebacks and counterfeit fraud attributed to those readers.

Missing the EMV deadline increases financial risk.

What does it mean to miss this deadline? The short version is that merchants who miss the deadline are gambling that they will not be targeted by thieves and exposed to charges for reimbursement. There is no penalty for missing the deadline, but there is risk. Not completing the conversion to EMV can put a site on the radar for potential hackers as they look to target the stores with the least resistance. It can also imply that the operators are not as security conscious and possibly have a reduced posture that will be easier to exploit.  This can lead to increased occurrences of counterfeit card fraud as well as the appearance of skimmers and additional threat vectors.

Difficulties in getting a slot in a busy tech’s schedule and the necessary hardware ordered are expected to continue if not increase through 2020. These factors are mostly beyond your control, but there are ways you can reduce the risk of fraudulent activity at your stores while you await upgrades.

Leveraging managed security further reduces risk.

ControlScan’s convenience store and fuel retailing customers are working hard to meet the October 2020 EMV deadline. In addition, many customers are working with us as a Managed Security Service Provider (MSSP) to maximize their overall site security in the process.

Here are three ways we’re working with customers during their EMV transition:

  • Managed Firewall – One of the main ways that an MSSP can help an operator is to provide guidance in navigating PCI DSS Requirement 1 of the PCI DSS states that a site must “install and maintain a firewall configuration to protect cardholder data.” Many fuel retailers do not have the expertise or staff required to configure and maintain a firewall, and it isn’t as easy as installing an off-the-shelf box with a base configuration. A managed firewall can also ease the transition to EMV and, in many cases, it is a required component of the upgrade.
  • Managed Detection and Response – While there are several hardened terminals in use in the field, many point-of-sale products utilize platforms which make them susceptible to viruses and malware. Anti-virus products can only do so much, and they don’t have the added benefit of active monitoring. Most anti-virus programs use signature-based detection which relies on prior identification of virus files in a database. Without up-to-date signatures the identification is flawed, and custom malware is becoming more prevalent which means signature-based identification will no longer work. A more robust solution is a Managed Detection and Response (MDR) deployment that includes behavioral threat detection and prevention, alongside existing signature-based threat detection, log ingestion, and an eyes-on-glass security operations center (SOC) with analysts pouring through alerts coming from protected endpoints on the network.
  • Security Awareness Training – When it comes to security, sometimes the weakest links are your employees. Attackers are actively using phishing campaigns against store employees, collecting credentials to allow access to important store resources. In this case, the best defense is educating your employees on the common threats and best practices so they can identify security concerns early and avoid the pitfalls that can lead to a catastrophic breach.

If meeting the EMV deadline isn’t a possibility (and even if your site has already finished the conversion), there are other ways to reduce the financial risks associated with data breaches and fraud. Subscribe to this blog—see the subscription box in the upper right of this page—to receive our periodic posts on security and compliance best practices.