EMV for Automated Fuel Dispensers: Challenges and Implementation Strategies
March 24, 2017 - UL explores the challenges and implementation strategies of EMV for automated fuel dispensers
Towards the end of 2016, the leading U.S. payment networks announced the delay of the liability shift for Automated Fuel Dispensers (AFDs) from October 2017 to October 2020. This was primarily due to insufficient supply of compliant hardware and software and the implementation challenges of implementing EMV at an AFD terminal.
The delay in the liability shift came as a respite for Petroleum and Convenience Retail (PCR) companies that were gearing up to enhance their point of sale systems with EMV technology. For the same purpose, the terminal manufacturers are moving swiftly to get their terminals certified with Level-1 and Level-2 EMV certifications. Despite the delay in the liability shift date, a number of leading vendors are moving ahead with the upgrading their existing systems with EMV.
Currently, gas station skimming fraud comprises just 1.3% of total US card fraud, according to Krebs on Security. It seems that the fraud is one a rise, for example, In Arizona at select stations more skimming was seen in August 2016 than in 2015 at large.
This presents an opportunity to turning the stumbling block of challenges with an EMV implementation to a stepping stone by utilizing the lessons learnt from the 2015 EMV liability shift. The colossal task ahead is to plan and implement effective strategies not only to deploy EMV solution, but also to ensure that they minimize the costs and reduce post implementation issues.
In this article, some challenges of implementing EMV at an AFD terminal as well as lessons learnt from the ongoing EMV implementation at Point-of-Sale are discussed.
Interfaces in AFD environment that are impacted with EMV implementation include:
- Pinpad – with the upgrade to EMV, the Pinpad will be upgraded to accept EMV contact or contactless payment methods. Necessary Level-1, Level-2 and Level-3 EMV certification will be required before deploying new terminals in the field.
- Payment application for Outdoor Payment Terminals – The payment application will be modified to have the logic for processing EMV and will be certified as well.
- Electronic Cash register (ECR) – Cash register is the point of initiation of a transaction when fuel is purchased from inside the store. Depending on the type of POS configuration (fully integrated, semi-integrated, partially integrated or standalone), the functionality of ECR may be impacted.
- Proprietary interface – The proprietary interface between the exterior AFD terminals and the site host must be equipped to carry EMV data.
- Merchants may want to implement their AFD solution in an offline mode when the connection with the host is down, their store operations are not available, etc. This is implemented as Store and Forward (SAF) unlike the standard online-only POS functionality. The merchants may also have to refer to any brand guidance on offline approvals, SAF processing for credit and debit payment method and any risk management processing. Specific processing checks like Merchant Types (Merchant Category codes/MCC) that can use store and forward, transaction amount limits and EMV risk management checks need to be implemented.
- PCR merchants, ISVs and POS solution providers having multiple host processor and/or Payment Gateway protocols may be required to implement EMV. In such a scenario, several processor or gateway requirements, implementation pre-requisites, messaging specifications and communication protocols etc. must be known.
Depending on the business requirements of an AFD merchant, additional functionalities available at an AFD terminal need to be considered and incorporated into the design of the system. These can be:
- Processing with Dual interface and Fleet cards.
- Selectable kernel configuration for Outdoor Payment Terminals (OPT) for managing different cardholder verification methods (CVM).
- Fallback processing (especially scenarios like magnetic stripe read while pulling out the card).
- Terminal logic for application selection specifically for debit preferred merchants.
Fleet cards: Fleet cards can be used for fuel only or fuel and other products. The terminals need to have the processing and logic as well to process fleet cards. In addition to reading and managing fleet card specifics, there may be additional prompts o the terminal and the specific information sent in the authorization messages.
- Accepting Fleet specific AIDs
- Logic for reading Typical Fleet card information encoded on chip.
- Prompts: Odometer reading, Driver number, Vehicle number.
- Acceptance of Card Type: Driver card or Vehicle card.
- Usage restrictions: Countries where allowed, Days of week, Hours of day, Maximum fill volume.
- Read Fleet card data, Manage Fleet card restrictions, make appropriate cardholder prompts, populate fleet information in authorization request.
- Authorization request message to include: Fleet TVR (FTVR), Driver ID, Name, Fleet number, Mileage, Vehicle registration number, Fuel filled, Price per Gallon.
Testing Strategy and Planning
Test planning is one of the critical aspects in EMV implementation. With AFDs, every merchant can have their own flavor of the solution and their needs to build a comprehensive test strategy to ensure full coverage of the functionalities.
- Lack of AFD industry specific test cases and scenarios represents a significant challenge.
- End to end testing strategy requires in-depth analysis of the scenarios to be chosen for a particular AFD customer implementation. These may also be driven by the business requirements. The testing scope is typically wider than the brand test scenarios. This includes but is not limited to EMV functionality like offline data authentication, Offline and Online PIN processing, Fallback processing, Pre-authorization and completion, Chip reversals, Issuer script processing, etc.
- An outdoor AFD terminal functions on the basis of pre-authorization and completion/capture, for which specific test scenarios need to be selected and modified.
- The functional test plan must also cover the additional client specific requirements like Store and Forward, performance/stress testing, batch capture/batch close, clearing and settlement and reports since these areas are not covered in the brand test plans.
- Additional implementation scope such as point encryption (P2PE), tokenization and mobile/NFC based solutions will increase the functional testing that needs to be done.
Performance Benchmarking and Optimization
As the merchants upgrade their point of sale systems to EMV they must also look at the performance of the payment system. This may have significant impact on customer experience and throughput and adversely impact their existing low-margin business. In order to ensure that the point of sale system is efficient and at par with the industry, benchmarking and optimization services can be adopted.
Test Automation at AFD
A very common ask from the merchants is about the methods or tools that can be implemented in order to automate various elements of the point of sale system. A wide variety of test automation tools (refer to below diagram) can be used to simulate each component of the point of sale environment.
A recent study uncovered that Visa’s EMV-enabled merchants resulted in a 43% decline in counterfeit fraud. It is therefore likely that this would reduce the fraud at gas stations as well, which currently incurs about $250 billion in fraud annually, according to Bloomberg. This will lead to potential cost savings for station operators as well as players in the payments space.
Thus, even though the upgrade to EMV requires substantial investment, companies should focus on a head start given the complexity of implementation.