The way the state handles transactions at pumps could be changed due to a warning issued by the New Jersey Department of Homeland Security about fraud and stolen card information at gas stations.
According to the New Jersey homeland security department’s cybersecurity division, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), cybercriminals are installing malware on merchants’ fuel dispenser networks in order to steal unencrypted payment card data.
Many gas station pumps in New Jersey do not accept chip card transactions and can only read payment data from the card’s magnetic stripe. The data from the stripe is sent unencrypted to the gas station’s network, where it can be stolen, the department said.
To avoid this situation, all gas stations in New Jersey will be required to have chip readers at pumps by October 2020.
The department recommends that gas merchants deploy compatible chip card readers as soon as possible and train gas station attendants on how to recognize payment card skimmers.
ALERT: Cyber-criminals are installing POS malware on gas station networks in order to steal unencrypted payment card information. Learn more at https://t.co/GVKwv5h8j3 #cybersecurity #cyber #security #tech #infosec #CyberAware
— NJCCIC (@NJCybersecurity) December 26, 2019
In a statement, Visa said it investigated two separate breaches at North American fuel dispenser merchants this fall, although the company didn’t say where. The attacks involved the use of malware to harvest payment card data.
Many customers say they absolutely worry about fraud, especially at the pumps.
“We were at a gas station recently, and concerned, because they had taken the card and it was a lengthy time,” says Kim Bennett, of Wall. “Had to check the statement to make sure no issues.”
NJCCIC, meanwhile recommends in order to reduce the risk of card fraud, paying for gas using cash or credit cards, not a debit card, and that station owners train their staff to look for skimming machines and make sure data from the cards is encrypted before sending over the network.