VISA warns of POS malware incidents at gas pumps across North America

VISA says it’s aware of POS malware being deployed on the networks of five North American fuel dispenser merchants.

Payments processor VISA says North American merchants who operate gas stations and gas pumps are facing a rash of attacks from cybercrime groups wanting to deploy point-of-sale (POS) malware on their networks.

In two security alerts published in November and December, respectively, VISA said its security team investigated at least five incidents of the sort.

The payments processor said cybercrime groups carried out attacks with the main purpose of gaining access to fuel dispenser merchants’ networks, where they installed POS malware.


POS malware works by continuously scrapping a computer’s RAM for what looks like unencrypted payment card data, which it collects, and then uploads to a remote server.

The VISA Payment Fraud Disruption (PFD) team says cybercrime groups appear to have found a weak spot in how gas stations and gas pump operators work.

While the in-store POS terminals of some merchants might support chip-and-PIN transactions, most of the card readers installed on gas pumps do not.

These gas pump card readers still operate on older technology that can only read payment data from the card’s magnetic stripe.

Data from these outdated card readers is sent unencrypted to the gas station’s main network, where crooks have realized they can intercept it.

VISA documented breaches at two fuel dispenser merchants in a November 2019 security alert, and another three breaches in a December 2019 alert. The two alerts highlight a new target and modus operandi for cybercrime groups.

The attacks on fuel dispenser merchants began over the summer, VISA said. Two of the five attacks were linked to a known cybercrime operation known as FIN8.

VISA said the easiest ways for fuel dispenser merchants to safeguard customers is to either encrypt card data while it’s being transferred across a network or stored in memory or shift to a chip-and-PIN card acceptance policy.

“Fuel dispenser merchants should take note of this activity and deploy devices that support chip[-and-PIN] wherever possible, as this will significantly lower the likelihood of these attacks,” VISA said.

Fuel dispenser merchants have until October 2020 to deploy chip-and-PIN compatible card readers on their gas pumps. Starting October 2020, VISA said liability for any card fraud would shift from itself to the merchants, which will likely motivate many operators to update their gas pump card readers. Until then, many are still vulnerable to attacks.

2 thoughts

  1. Does your blog have a contact page? I’m having a tough time locating it but, I’d like to shoot you an e-mail. I’ve got some recommendations for your blog you might be interested in hearing. Either way, great site and I look forward to seeing it expand over time.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.