Wawa improving payment security at convenience stores in wake of data breach

Company officials said all gas pumps will have credit card chip-readers installed by the end of 2020

As Wawa seeks to recover from the massive data breach that attacked payment systems at most — if not all — of its convenience stores in 2019, the company is rolling out new security changes at its gas pumps to improve payment security. 

A PhillyVoice colleague noticed a change to the credit-card readers when he went to fill up his car with gas earlier this week at a Wawa in Upper Chichester, Delaware County.


RELATED: Tiny Wawa opens Friday morning in Center City with pick-up window


Instead of inserting a credit card, quickly removing it and then entering his zip code to verify the transaction, the new, gas-pump, card-readers require customers to leave the payment card in the machine for about 30 seconds to process the payment before removing it.

Jeff Douglass/PhillyVoiceWawa is upgrading the payment card readers at all of its gas stations in 2020 to improve data security. The photo above shows a gas pump at a Wawa in Upper Chichester, Delaware County, where then new credit-card readers with EVM technology have been installed. In December, Wawa announced its payment servers had been hacked, potentially compromising customers' credit and debit card data, possibly at all of its convenience stores in the United States.

In a statement to PhillyVoice, Wawa confirmed the changes, stating that it’s part of "enhancements we are making with the ongoing implementation of EMV technology at gas pumps, which has been underway for months and will be completed at all of our stores before Oct. 2020."

EVM stands for Europay, MasterCard, and Visa. Basically it is the chip-reading, credit-card machines already common in retailers, and it is the global standard for authenticating credit and debit card transactions, according to TechCrunch.

Unlike when a credit or debit card is swiped, and the magnetic strip is read by the payment machine, the data transmitted using chip-enabled cards is encrypted and only a financial institution can un-encrypt it, TechCrunch said.

The news of these improvements comes just weeks after Wawa discovered it was hit by a massive data breach that potentially compromised customers’ credit and debit card information inside Wawa stores and at its gas pumps, as their locations were exposed to malware over the span of 10 months, starting in March 2019. 

The convenience store chain believes credit and debit card numbers, expiration dates, and cardholder names were affected by the malware, but not debit card PIN numbers, credit card CVV2 numbers, or driver's license information. The malware was finally contained on Dec. 12. 

Wawa believes the malware had been present on a majority of its store systems by April 22, and that its information team identified the malware on Dec. 10, ultimately notifying law enforcement and payment card companies.

As a result of the hack, Wawa is facing a class-action lawsuit over the data breach from at least six plaintiffs, including a New Jersey woman. 

According to the Baltimore Sun, Visa’s fraud division warned that gas stations have become attractive targets of malware attacks and urged fuel sellers to upgrade to chip-reading technology at the pumps. In one recent investigation, Visa said cyber-criminals gained access to a point-of-sale system through a phishing email with malware attached.

Visa did not respond when reached for comment by PhillyVoice.