Gas pumps protect credit data with new device

Clayton, N.C. — A gas station just outside of Raleigh is one of three outlets in the country keeping customers' credit card information secure with a unique device on its gas pumps.

The Hasty Mart BP service station, at 531 Barber Mill Road and N.C. Highway 42, began using the Secure PumpPay system on its eight pumps in April, according to John Strickland, president of Wayne Oil and owner of the Clayton BP.

“It’s that outside, unattended payment that we wanted to protect. Inside, our point-of-sales systems were as secure as they could be, and we wanted to provide this same level of security at our points of sale outside,” Strickland said.

The Secure PumpPay system, created by VeriFone, is designed to protect consumers from skimming, a practice in which thieves install hard-to-detect electronic devices on gas pumps to steal credit card information. The U.S. Secret Service is investigating skimming cases at gas stations in at least five states, according to the USA Today newspaper.

The Secure PumpPay devices have not been noticeable to consumers at the BP station in Clayton, Strickland said.

Driver Charles Swinson said knowing the gas pump contains a security device makes him “feel a lot safer” using his card at the BP station.

“I think people have a presumption that when they’re paying for something it’s secure, but I know the reality is that there is a lot that goes into keeping someone’s account information completely secure,” Strickland said. “We wanted to make sure our customers were secure even when they didn’t know it.”

Visa has mandated that all merchants replace debit devices with Triple Data Encryption Standard devices by July 1, 2010. The mandate was to increase security measures. If a company does not comply, credit card companies could fine station owners.

The Secure PumpPay system, which costs thousands to install, is also being used in Clearwater, Fla., and Fort Wayne, Ind.

5 Comments

WRAL.com welcomes your comments on this story. All comments are moderated prior to publication based on our posting guidelines. Please review them prior to posting and if your message is not approved.

5 COMMENTS

This story is closed for comments.

Latest Comments

Great! Now if they could fix the slow, slow, pumps! I no longer buy there, it's so bad. BP as a whole is going down the tubes.

Xiaoding
August 13, 2008 9:54 p.m.

Thanks dcatz.

Sort of makes sense now. I now remember using DES and 3DES when configuring Hardware VPN Routers. So I assume the encryption is used between the gas pump and the computer in the gas station. And I'm assuming the "information stealing device" was somehow intercepting the unencrypted transmissions between the pumps and the computer in the gas station.

Is that correct?

DeathRow-IFeelYourPain-NOT
August 13, 2008 8:21 p.m.

3DES? LOL

3DES is an obsolete encryption standard. It's basically the plain old DES standard (an encryption standard designed by the NSA way back in 1975 and that is now very obsolete) and has been demonstrated to be insecure. When people figured out how easy it was to break DES (and it is easy with the appropriate equipment), they came up with a jerryrigged solution called 3DES or Triple Data Encryption Standard where you basically encrypt something with DES three times.

Rijndael (also known as AES or Advanced Encryption Standard) is the much more secure replacement for DES/3DES. No one should be implementing new systems using DES anymore. AES is cheaper to implement too since it's designed to be done in the software as opposed to requiring specialized hardware (DES was designed back before general-purpose computing was commonplace).

See http://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html for more information.

dcatz
August 13, 2008 7:27 p.m.

Would loved to have heard a little more detail as to what it exactly is and how it works. Sounds good. But I don't feel any safer because I don't know what it does.

DeathRow-IFeelYourPain-NOT
August 13, 2008 7:21 p.m.

it's barber mill rd...not barbara...