In August and September 2019, Visa Payment Fraud Disruption (PFD) investigated two separate breaches at
North American fuel dispenser merchants. The attacks involved the use of point-of-sale (POS) malware to
harvest payment card data from fuel dispenser merchant POS systems. It is important to note that this attack
vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat
actors to access the merchant’s internal network. In one of the two cases investigated by PFD, the threat actors
successfully compromised the merchant’s network through a phishing email that contained a malicious
attachment. Once the malware was deployed on the merchant’s network, it scraped Track 1 and Track 2 payment
card data from the random access memory (RAM) of the targeted POS system. The threat actors were able to
obtain this payment card data due to the lack of secure acceptance technology, (e.g. EMV® Chip, Pointto-Point Encryption, Tokenization, etc.) and non-compliance with PCI DSS.
The targeting of fuel dispenser merchants is the result of the slower migration to chip technology on many
terminals, which makes these merchants an attractive target for criminal threat actors attempting to compromise
POS systems for magnetic stripe payment card data.
1. Implications for Fuel Dispenser Merchants
Card skimming at fuel pumps remains a pervasive and increasing threat for fuel dispenser merchants. However,
these recent, more technically-advanced threat campaigns targeting fuel dispenser merchant POS systems marks
a concerning trend that will likely continue. Many fuel dispenser merchants are currently updating their systems
to accept and process more secure transactions, such as upgrading to devices that support chip.
Source: Visa Security Alert