Gas StationCompliance Hub
Technology & Automation

Gas Station Cybersecurity: Protect POS, Dispensers & Data

April 14, 2026|8 min read
Control panel with gauges, lights, and switches

Why Gas Stations Are High-Value Cybersecurity Targets

Fuel retail operations process millions of card transactions annually, run legacy embedded systems across forecourts, and often operate with lean IT support — a combination that makes them attractive targets for cybercriminals. Gas station cybersecurity breaches have cost individual operators anywhere from $50,000 to well over $500,000 when you factor in forensic investigation, card replacement liability, regulatory fines, and reputational damage.

The threat isn’t theoretical. Between 2017 and 2023, the FBI and Secret Service documented hundreds of physical and network-based skimming operations targeting fuel dispensers across the United States. More recently, point-of-sale (POS) malware and ransomware attacks have hit fuel retailers hard — including mid-sized chains that assumed they were too small to be worth targeting.

Whether you operate a single-site independent station or a regional network of 20+ locations, understanding your attack surface is the first step toward building a defensible operation.

Understanding Your Attack Surface: Three Critical Layers

1. Fuel Dispenser Systems

Modern dispensers from Gilbarco Veeder-Root (Encore series) and Dover/Wayne (Ovation series) run embedded operating systems and communicate back to the POS controller via internal network protocols. Older Wayne CAT and Gilbarco Advantage units — still common in independent stations — may run on unsupported firmware with no manufacturer patch support.

Physical threats include Bluetooth-enabled skimmer overlays and internal card reader replacements, which the Secret Service estimates are installed on tens of thousands of pumps nationwide. Network threats include man-in-the-middle attacks on dispenser-to-controller communications if the internal LAN is not properly segmented.

The EMV (chip card) liability shift for fuel dispensers — originally set for 2020 and extended multiple times — became fully effective for most networks in April 2021. Stations without EMV-compliant dispenser card readers now bear 100% of chargeback liability for counterfeit card fraud at the pump. As of 2024, a significant portion of independent stations remain non-compliant, exposing them to substantial ongoing financial liability with every swipe transaction.

2. Point-of-Sale Systems and Back-Office Controllers

The inside POS environment — typically a Verifone Commander, Gilbarco Passport, or Wayne iX Pay terminal setup — sits at the center of your payment processing ecosystem. These systems handle card authorization, loyalty programs, carwash controls, and increasingly, age-verification for tobacco and lottery sales.

POS security vulnerabilities commonly exploited in fuel retail include:

  • Default vendor passwords never changed during installation
  • Remote access software (pcAnywhere, TeamViewer, RDP) left exposed to the public internet
  • Out-of-date operating systems — many Passport installs still run on Windows 7 or Windows Embedded POSReady 2009, both end-of-life
  • Flat networks where the POS shares broadcast traffic with employee devices and customer Wi-Fi
  • Unencrypted payment data in transit between the controller and payment processor

Verifone and Gilbarco Veeder-Root both issue security bulletins and firmware updates for their controller platforms. Failing to apply these updates in a timely manner is one of the most common findings in post-breach forensic investigations.

3. Back-Office and Network Infrastructure

Broadband routers, wireless access points, surveillance DVR systems, and ATG (Automatic Tank Gauge) controllers from Veeder-Root (TLS-450PLUS) or Franklin Fueling Systems all represent network-connected endpoints that, if compromised, can serve as pivot points into payment systems. Veeder-Root TLS systems in particular have been the subject of multiple security research disclosures regarding internet-exposed ATG ports — a finding that directly affects UST compliance data integrity as well as cybersecurity posture.

Regulatory Framework: What the Rules Actually Require

PCI DSS 4.0: The Payment Card Industry Standard

The Payment Card Industry Data Security Standard (PCI DSS) is the primary compliance framework governing gas station data breach prevention. Version 4.0, released in March 2022 with a compliance deadline of March 31, 2025 for new requirements, introduces significant changes relevant to fuel retailers:

  • Requirement 6.3.3: All software must have applicable security patches installed within one month of release for critical vulnerabilities
  • Requirement 8.2.4: User accounts and passwords must be reviewed every 12 months
  • Requirement 12.3.2: Targeted risk analysis must now be documented for each PCI DSS requirement
  • Requirement 11.6.1 (new in 4.0): A change-and-tamper detection mechanism must be deployed on payment pages — applicable to pay-at-the-pump interfaces and any web-based ordering

Non-compliance with PCI DSS does not carry direct government fines, but card brands can impose penalties of $5,000 to $100,000 per month on your acquiring bank, costs that are contractually passed through to you. Following a confirmed breach, you may also be required to fund forensic investigations ($20,000–$100,000+) and card reissuance costs (up to $5–$10 per card for every affected cardholder).

State Data Breach Notification Laws

All 50 U.S. states have enacted data breach notification laws. While thresholds and timelines vary, most require notification to affected consumers within 30 to 90 days of breach discovery. Several states impose additional requirements:

State Notification Deadline Maximum Penalty
California (CCPA/CPRA) Expedient, no specific days $7,500 per intentional violation
New York (SHIELD Act) Expedient notice $5,000 per violation
Texas 60 days $250,000 per incident
Florida 30 days $500,000 per breach
Illinois Expedient notice Actual damages + attorney fees

FTC Safeguards Rule

The Federal Trade Commission’s updated Safeguards Rule (16 CFR Part 314), which took effect in June 2023, applies to financial institutions — a category that includes businesses engaged in financial activities such as payment processing. Multi-site fuel retailers and operators who extend credit or offer stored-value fleet cards may fall under this rule, which mandates a written information security program, designated security personnel, and regular risk assessments.

Practical Security Controls for Fuel Retailers

Network Segmentation: Your Most Important Control

The single highest-impact action most gas station operators can take is properly segmenting their network. Your POS and dispenser communication network should exist on an isolated VLAN with no direct routing to employee devices, office computers, or customer Wi-Fi. A properly configured firewall — not a consumer-grade router — should govern all inter-VLAN traffic.

Many fuel retail technology vendors, including Gilbarco and Verifone, publish network architecture guides specific to their controller platforms. Your petroleum equipment contractor or point-of-sale dealer should be able to implement a segmented architecture during any major system refresh.

Dispenser Physical Security Checklist

  • ✅ Inspect all dispenser card readers weekly for skimmer overlays (look for misaligned bezels, unusual resistance when inserting card, extra components)
  • ✅ Apply tamper-evident security seals to all dispenser cabinet access panels and log inspection dates
  • ✅ Enable Bluetooth scanning alerts if your dispenser management software supports it (Gilbarco Secure Pay with encrypted readers eliminates Bluetooth skimmer risk entirely)
  • ✅ Upgrade to EMV-capable card readers on all dispenser lanes if not already completed
  • ✅ Review dispenser access logs for unauthorized cabinet opens

POS System Hardening

  • ✅ Change all default passwords immediately on installation and rotate quarterly
  • ✅ Disable or remove remote access tools not actively managed by your VAR or POS provider
  • ✅ Apply vendor-issued firmware and OS patches within 30 days of release (critical patches within 72 hours)
  • ✅ Enable point-to-point encryption (P2PE) on all payment terminals — both countertop and pay-at-pump
  • ✅ Ensure your payment processor relationship includes tokenization so card data is never stored on-site
  • ✅ Review who has administrative POS access; remove terminated employee credentials immediately

Employee Training and Insider Threat

The Verizon Data Breach Investigations Report consistently finds that a significant proportion of breaches involve an insider element — whether malicious or negligent. For fuel retail, this often means an employee clicking a phishing link on a shared back-office computer, or a contractor being given unnecessary network access during a service call.

Establish a written acceptable use policy for all business computers. Train employees annually on phishing recognition. For service contractors accessing your network or POS system, create time-limited access credentials that expire automatically after the service window closes.

Incident Response: What to Do When (Not If) Something Goes Wrong

Every gas station operator needs a written incident response plan before a breach occurs. At minimum, your plan should include:

  1. Containment: Isolate affected systems immediately — disconnect compromised devices from the network without powering them off (preserves forensic evidence)
  2. Notification of your payment processor: Call your acquirer’s security hotline within hours of confirmed or suspected compromise
  3. Legal counsel: Engage an attorney with data breach experience before making public statements
  4. Forensic investigation: Your payment brand may require a PCI Forensic Investigator (PFI); do not begin internal remediation that could overwrite evidence
  5. Regulatory notification: Follow your state’s breach notification timeline — document the discovery date precisely
  6. Customer notification: Work with counsel on messaging; most states prescribe minimum content requirements for consumer notices

Pro Tip: Review your general liability and commercial property insurance policies today. Standard policies typically do not cover cyber incidents. A standalone cyber liability policy for a single-site fuel retailer typically runs $1,500–$4,000 annually and can cover forensic costs, notification expenses, regulatory defense, and business interruption losses.

Building a Cybersecurity Roadmap for Your Station

Cybersecurity improvement doesn’t have to happen all at once. Prioritize by risk impact and build a 12-month roadmap:

Priority Action Timeline Estimated Cost
Critical Network segmentation (POS/dispenser VLAN) 0–60 days $500–$2,500
Critical EMV dispenser card reader upgrade 0–90 days $4,000–$12,000/lane
High Enable P2PE on all payment terminals 30–60 days Varies by processor
High Patch all POS/controller firmware 30 days Minimal (labor only)
Medium Cyber liability insurance 30–60 days $1,500–$4,000/year
Medium Employee security training 60–90 days $200–$500/year
Ongoing Weekly dispenser physical inspections Immediate $0 (labor only)

Action Items: Start Here This Week

  1. Audit your network topology today. Draw a map of every device connected to your business network. If your POS, employee computers, and customer Wi-Fi are all on the same network, you have a critical gap to close.
  2. Check your dispenser firmware version. Contact your Gilbarco, Wayne, or other dispenser vendor representative and confirm whether your installed firmware is current and whether your card readers are EMV-capable.
  3. Confirm your PCI compliance status with your processor. Log into your acquirer’s compliance portal and check your current SAQ (Self-Assessment Questionnaire) status and expiration date. PCI DSS 4.0 compliance is mandatory as of March 31, 2025.
  4. Call your insurance broker. Ask specifically whether your current policy covers cyber incidents. If not, get a cyber liability quote this week.
  5. Schedule a physical dispenser inspection. Walk your forecourt today and inspect every card reader bezel, every cabinet seal, and every keypad for signs of tampering.

Gas station data breach events are not a matter of if — they are a matter of when and how prepared you are. The operators who weather these events with minimal financial and reputational damage are invariably those who treated cybersecurity as ongoing operational practice rather than a one-time project. Start with the basics, document your efforts, and build from there.

Was this helpful?
LinkedInX / Twitter
Disclaimer: Always verify with your state UST program. Regulations change.