Fleet cards are a special type of payment card. These cards are given by a company to their employees; for example, truck drivers delivering the company’s goods to where they will be sold. The cards are used to pay for vehicle expenses, such as fuel for pay-at-the-pump transactions and for repairs and maintenance that are incurred during the course of business.
Oil brands may also provide fleet cards such as Shell, Chevron, ExxonMobil, as well as by dedicated companies that issue these cards, such as Edenred, WEX Inc., etc. The oil companies often use the term “fuel cards” when referring to fleet cards.
Normally, there is no requirement for PCI-DSS compliance with this type of payment card. However, this poses a risk to business. Compliance helps keep the cards’ financial transactions secure, especially with the increase in counterfeit frauds. Here we will explain how fleet cards/fuel cards work and the role that hardware security modules can play in providing more secure features for these cards under PCI-DSS compliance.
Why Businesses Like Using Fleet Cards
The core feature of every fleet card is that it can be used to “pay at the pump.” There are several advantages to issuing fleet cards to drivers, including:
- The driver does not need to carry cash for fuel that could be lost or stolen.
- The fleet card does not provide the features of a typical credit card; therefore, if lost or stolen, it cannot be used for purchases made at a department store, for instance.
- Because the card has focused functionality by being linked to fuel and vehicle expenses, it is easier to distribute cards to drivers who might not qualify for a company credit card.
- Administration and business processes are less complicated as companies receive the invoice and statement for their fleet cards each month providing detailed usage descriptions.
- Companies can monitor their vehicle expenses and maintain their budgets.
- Charges are typically interest free, but the company is required to review its balance in full each month.
PCI-DSS is not required for fleet cards issued by a business or oil company because they are not members of a card payment network like Visa or Mastercard. Instead, non-credit/debit fuel cards work within a private loop where no PCI norms apply, and implementations and specifications can vary.
Lack of PCI-DSS Compliance is a Risk to Business, But HSMs Can Help
Requirement 4 of the PCI-DSS standard requires the safe transmission of cardholder data across open networks. Protocols for encryption and authentication must be sophisticated and configured to prevent unauthorized access by third parties and hackers, which is also a feature of using a hardware security module for overseeing the use of fleet cards. Keys for both encryption and authentication can be securely stored within an HSM.
Yet although not required by standards or regulations, integrating PCI-DSS compliance by introducing hardware security modules is beneficial to keeping transaction data safe when using fleet cards. But there is also another benefit to consider in that fleet cards can now provide more flexibility to its users. Cards can be securely used for business-related expenses that may be incurred other than at the fuel pump.
While fleet cards cannot be used everywhere at this time, there is still a risk for fraud. PCI-DSS compliance helps fight fraud at the pump by maintaining certain standards for payment security during fuel purchases.
For example, requirement three of PCI-DSS mandates that stored cardholder data must be protected at all times. Encryption is considered one of the best methods for doing that. But it also requires that organizations that deal with clients’ funds should also protect the encryption keys that are used to encrypt that data to prevent misuse and unauthorized disclosure. Keeping encryption keys protected is one of the main reasons for using a hardware security module.
Blog post by Martin Rupp.
About the author
Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Martin currently researches the application of Machine Learning and Blockchain in Cybersecurity.