EMV, MNSP and PCI Compliance

2020 is officially here. October 1, 2020, marks the date on which petroleum retailers will be held responsible for credit card fraud that takes place at fuel dispensers that are not equipped to handle EMV transactions.   There are only 186 working days until the EMV liability shift and technician availability will diminish quickly.    

In addition to, and to prepare for, outdoor EMV, dealers will be required to choose a certified Managed Network Service Provider (MNSP).  Mandated by the Credit Card Networks and implemented by both Gilbarco and VeriFone, MNSP requires a PCI-certified firewall (a firewall and managed switch) and a significant change to a store’s network architecture.  MNSP increases store security while meeting mandated PCI requirements, but does not remove the responsibility of completing your annual PCI Self-Assessment Questionnaire and required scans. 

As you may or may not be aware, Wawa discovered a massive data breach that affected 850 locations and is now facing lawsuits over that breach.  Those affected are purporting “inadequate data security measures and a careless approach to data security”.  Regardless of Wawa’s PCI status, this breach further highlights the need to take mandated PCI requirements seriously and why you should be proactively taking steps to implement outdoor EMV. 

Visa warned that hackers were targeting gas stations to steal payment card information.  In November 2019, Visa reported that gas stations emerged as targets for criminals because of the slow adoption of payment processing technology and that attacks would continue as long as gas stations were using magnetic stripe card readers to accept payments. 

With the challenges facing the petroleum industry, the original October 1, 2017, liability shift date was postponed to October 1, 2020.  Due to the lack of EMV software and the need for total replacement of some older equipment, this postponement gave gas stations more time to adopt EMV at the dispenser. With outdoor EMV software for VeriFone scheduled for release in February and mid-year for Gilbarco (for the Heartland network), it is vital that you have a plan in place.   The longer you wait, the longer the lead time on both equipment and technician availability.

Upgrades to support EMV, MNSP and PCI requirements will be expensive, but not as expensive as the cost of a data breach and chargebacks.  Automated fuel dispenser fraud is projected to reach $451 million this year.  The annual projected liability per store is $12,860 in 2021 and $31,396 in 2022.  It is imperative that you get ahead of this now as significant counterfeit fraud can occur without warning.

The complexities of outdoor EMV, the new MNSP Program, and PCI Compliance can be quite confusing.  Taking early action for upgrades and continuing your compliance with the PCI standards will give you the best opportunity to make the most of a difficult situation that will only get worse.