Analysis of the Texas AFD Anti-Skimming Regulation

Introduction to the Regulation

On September 1st, 2019 Texas Legislature created Chapter 607 of the Texas Business and Commerce code related to card skimmers on automated fuel dispensers (AFDs). This chapter requires petroleum merchants to implement procedures to prevent, detect, and report the installation of skimmers on their unattended AFDs. The Office of the Attorney General in Texas proposed new rules (section 56.1-56.6) relating to best practices that ensure Petroleum merchants comply to Chapter 607.  This document contains a summary of the impact on petroleum merchants and detailed information on the changes introduced through the regulation. 

What does this mean for petroleum merchants?

Petroleum merchants must now implement system and process controls to comply with the new Texas regulation.  These new requirements include:

  • Installing AFD locks, whose keys must be unique by location
  • Maintaining a sign-in log of all vendor visits to sites
  • Maintaining up-to-date photos of AFD models (potentially several per site if there are different pump configurations at the site)
  • Performing and logging daily inspections of each AFD
  • Training all site personnel, most likely done through Learning Management and Task Management system changes
  • Installing, physically verifying, and logging numbered, tamper-evident labels on each AFD
  • Abiding by additional requirements in the event a skimmer breach has occurred

In addition to the requirements, W. Capra recommends that all sites follow other best practices for preventing and minimizing skimmer breaches:

  • Install tamper-evident labels and electronic monitoring devices (EMDs), where necessary, on all dispensers
    • The regulation only requires that these steps be taken for non-EMV enabled AFDs.
  • Notify authorities immediately of any suspicion of skimming activity at your location
  • Implement your anti-skimming processes universally, as other states – such as Florida – are currently evaluating regulations similar to that passed by Texas.

Details of the Law

  • Implement training and written procedures: Petroleum merchants and any merchants that operate fuel dispensers with unattended payment terminals must create/maintain written policies and procedures consistent with the mandates of Chapter 607. See the new requirements below.
    • Training on written procedures is required of all employees.
    • The procedures must include background information regarding skimming effects on the customers and merchant.
    • The procedures must include how to recognize suspicious activity and warning signs of skimming.
    • The procedures must include/explain disciplinary consequences that employees may face if they do not comply.

  • Dispensers/Terminal locks and keys: Historically, fuel dispensers were manufactured and installed to be accessible with a universal key.  To improve the physical security of dispensers, merchants must meet the following requirements, which signal a significant change for Authorized Service Contractor (ASC) work on sites:
    • Each door or panel that provides access to fuel dispensers, payment terminals, or any electronic component of payment terminals must now have a unique lock
    • The same lock/key can be used for all dispensers at the same location.  However, if the owner/merchant has multiple locations, each must have a unique key.

  • Vendor sign-in: Some skimmer fraudsters impersonate technicians sent to work on the fuel dispensers in order to avoid detection.  As a result, merchants must require any vendor doing any work on the premise to check in and sign a maintenance log, so employees can recognize unauthorize individuals accessing the fuel dispensers.
  • Tamper-Evident Security Labels: Fraudsters are buying and carrying their own tamper labels that look similar to merchants’ labels.  After installing skimmers, these fraudsters replace the label with the look-alike in an effort to avoid detection. See the new label requirements below.

*Although these requirements are waived for EMV-enabled AFDs, W. Capra strongly advises that merchants adopt these requirements for EMV-enabled dispensers, as EMV technology does not prevent skimming attacks. *

  • Merchants must use uniquely numbered tamper-evident security labels, which will allow the merchant to identify if the security label has been tampered with or replaced.
    • Merchants must keep a log of the number used on each dispenser and log each time the label number changes.
    • The numbered tamper-evident security labels must be used on each door/panel that provides access to fuel dispensers or any electronic component of the payment terminal.

  • Photo of Dispensers: Merchants are required to maintain photo(s) of its dispenser(s). If all dispensers are uniform in appearance (same stickers, leaflets, etc.) at a location, the merchant only needs to maintain a photo of a single dispenser at that location.  If dispensers are not uniform in appearance, the merchant must take pictures of each unique configuration. The photo(s) must be easily accessible and must be used during an inspection to help determine whether any foreign object has been installed.

  • Inspection: Most skimmers are installed inside the pump and are not visible from the outside.  However, skimmers sometimes can be found on the exterior as well. See the new requirements below.
    • Daily visual Inspections of the exterior are required. These visual inspections are intended to detect any signs that the dispenser has been opened, including scratches, pry marks, drilled holes, and other items that may have been installed.

*Depending on the site, W. Capra recommends performing inspections more frequently than daily – perhaps at shift change. More frequent inspections allow for faster detection of skimmers. In addition, some fraudsters install skimmers for less than 24 hours in order to avoid detection.

  • Inspect the tamper-evident security labels to confirm that the number on the label matches the merchant’s log and that the label has not been cut or tampered with.
    • Compare the current state of the dispenser to the dispenser photo on file,
    • Maintain a log of all inspections, documenting the date and time of the inspection as well as the name of the person who conducted the inspection.

*It is recommended that inspections be conducted by different employees periodically to (a) help limit the likelihood that an employee will become careless in the inspection process and (b) help limit the risk that the person conducting the inspections is complicit with persons installing skimmers.

  • Who can perform manual inspections? There is no formal class.  Training can be done by a service technician or experienced law enforcement.  The training will show employees how to identify and detect skimmers on the merchant’s own dispensers. Once someone has been properly trained, they can create training documentation/videos and distribute through a learning management system for new and current employees.

  • What do I do if I suspect skimming or find a skimmer after my inspection?
    • Disable the dispenser and payment terminal affected immediately.
      • If shutting down a dispenser would cause a merchant hardship or substantially disrupt the merchant’s business, the merchant may instead disable the payment terminal only and keep the dispenser operational for indoor payment. In this case, merchants should prevent customers from trying to use the payment terminal by covering payment card slot and direct customers to pay inside.
    • Perform a manual inspection of all AFDs by the trained employee at the location
    • Ensure the person conducting the inspection has access to the AFD photos to help determine whether any foreign object has been installed.
  • Automatic triggers for manual inspections: Below are two examples that skimming might be taking place.  Merchants should implement systematic monitoring and alerting to detect suspicious activity and automatically trigger an inspection and/or disablement of the impacted AFD.

*All inspections for any reason must be logged*

  • High levels of invalid card read errors, dispenser offline messages or issues accepting payment cards at the pump.
    • If merchant may be contacted by a card brand, a payment processor, a financial institution, a law enforcement officer, or a representative of the Center, or anyone else regarding fraudulent activity.

  • What is a skimmer breach and what action does it require of me? If a skimmer is discovered on any a site’s AFDs on more than two occasions in a 24-month period, these events qualify as a skimmer breach under the Texas code. Under the classification of a skimmer breach, the merchant is required to implement additional practices at the affected location to prevent further skimming activity (see chart below)