Fleet Cards, Fuel Cards, and AFD - Key Answers on PCI Compliance, Crypto-Security and the EMV shift in October 2020

Today, Automatic Fuel Dispenser fraud is a sad reality. Gas pumps are impacted by skimmers, cloned fuel cards, and other schemes. This forces fuel merchants to adopt chip technology as a way to prevent counterfeit frauds.

A Quick Reminder about Fleet cards 

A Fleet card (also referred to as a fuel card, depending on the issuer) is a special type of payment card that is dedicated to vehicle expenses, particularly fuel expenses used in a business context. Fleet cards are given by a company to an employee, usually the driver of a given vehicle operated by the company. Fleet cards can have many uses: fuel (pay at the pump), repair, maintenance, etc.

There are multiple advantages to using such fleet cards:

  • The driver does not need to carry cash that could be lost or stolen, nor does he or she need to be equipped with a full-fledged credit card that could be subject to fraud or theft.
  • Focused functionality linked to fuel and vehicle expenses allows for easier distribution of cards to drivers, even when they do not qualify for credit cards
  • Corporate administration is reduced and processes get leaner as companies receive the invoice and fleet card statement at the end of each month with detailed descriptions of usage. Accounting APIs even allow for connecting the data directly to the companies’ ERP systems.

Today all major operators of service stations / oil companies offer such cards. Also, many bank acquirers offer a specific Fleet card. 

The terms of fleet cards can vary. Usually, they are charge cards, e.g., they charge no interest but they require the cardholder to pay the balance in full at the end of a given period (usually monthly).

Fleet cards allow companies to maintain their budgets and monitor the expenses for the vehicles that they operate. 

Differentiating between Fuel Cards and AFD Fleet Cards

Fleet cards may be provided by oil brands such as Shell, Chevron, ExxonMobil, as well as by dedicated companies that issue these cards, such as Edenred, WEX Inc., etc. The oil companies usually use the term “Fuel Card.”

Many banks also issue fleet cards in cooperation and compliance with credit card companies. These fleet cards are actually limited functionality credit cards. These cards are usually referred to as “Fleet Cards” or “AFD-Fleet Cards.” AFD stands for Automated Fuel Dispenser. . 

Pay at the Pump

“Pay at the Pump” is the core feature of every fleet card. It is a system used at gas station pumps. The user inserts the card into the card reader embedded into the pump. Customers are able to pay directly for their fuel by using:

  • Fuel cards
  • AFD-fleet cards
  • Credit or debit cards 

What is the Automated Fuel Dispenser (AFD)

An AFD is an integrated mechanical and electronic system which combines a payment system and a fuel delivery system without the need for an operator. AFD usually consists of the pump unit itself, sealed in the ground of the gas station, connected to the petroleum tanks and a payment system, involving a credit card reader and an oil gauge module.

AFD transactions involve  financial transactions in the context of petroleum companies, using fuel cards operating in payment networks. The way these cards function is generally identical to the bank cards which uses magstripe or EMV. However, there are some important differences. 

For instance, integration is slightly different because of a Forecourt Controller that controls the amount of gas pumped and is directly sent to the terminal. 

There is also the option to avoid a PIN. Usually, AFD cards do not ask for a PIN.

With AFD cards, some Fleet Service Indicators may convey the following information to the payment servers:

  • Identification (ID) and odometer reading
  • Vehicle ID and odometer reading
  • Driver ID and odometer reading

After a prompt for ID, the cardholder typically inputs the six-digit numeric vehicle, driver, or generic ID, which differs from EMV payment systems. 

AFD transactions usually perform payment card transactions where sale approval is requested without information about the final amount that will be paid by the cardholder. A  pre-authorization must be performed together with a completed transaction that bears details of the final sale.

If the transaction is authorized, the host answers the request with a pre-authorization amount. The fuel dispenser transaction limit is defined mainly by the returned pre-authorization amount. 

The fleet cardholder may then begin fueling. Once this is finished, the final amount of the sale, which has been automatically defined by the fuel pump counter, is sent to the host. The host finalizes the sale for the actual amount. 

PCI Compliance

It is important to distinguish between fuel cards that are issued by a bank following a card scheme, such as Visa or Mastercard (typically AFD-fleet cards) and fuel cards that are issued directly by either an oil company or an oil company integrator that are not a member of a card payment network. In the latter case, transactions are not processed by a payment network. Therefore, there is no need for PCI-DSS compliance.

Non-credit/debit cards fuel cards work in a private loop where implementations and specifications may vary since there is no real norm for fuel cards. Nevertheless, PCI compliance is a way to fight fraud at the pump by having fuel station merchants maintain certain standards in payment security during transactions.

Credit card fraud is now big business, and gas stations and truck stops are becoming common targets, especially since payment cards are moving to EMV everywhere around the world.

PCI (‘Payment Card Industry’) standards are maintained, used, and issued by the five major global credit card networks – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

The PCI organization requires that any fuel retail organization that stores, processes, or transmits cardholder data (meaning anyone that processes cards from one of the aforementioned five credit card brands) is required to have PCI compliance, and, therefore, need to maintain the appropriate payment security.

For most small businesses, PCI compliance implies that the stations will use payment terminals and processing that provides PCI compliant services. Fuel merchants that are not PCI compliant will have to pay from their pocket for any fraud losses!

EMV and Fleet Cards

The EMV payment method is based on a technical standard for smart payment cards and payment terminals. It uses a microchip that is integrated into the card. Therefore, EMV-based cards are also called “banking smart cards.” [5]

EMV makes sense when it comes to fighting against the fraudulent use of fleet cards. Just like payment cards, fleet cards can be cloned, wrong information can be inserted and rewritten, etc.

In terms of EMV, the fuel retail industry and chip card used for automated fuel dispensers/pumps (AFDs) have their own unique specificities.

The AFD segment will need more time to upgrade to chip / EMV because of the complex infrastructure and special technology that is needed for fuel pumps. For instance, some old pumps must be removed and replaced before installing EMV chip readers. This means sometimes breaking concrete, not just unscrewing a terminal. It also requires special technicians that are different from the usual ATM technicians.

Another issue is that the old pumps may not be wired enough and may need additional cable, etc. Additionally, there are not enough software and hardware supplied for EMV-compliant fuel pump systems.

With the EMV shift at fuel pumps occurring on October 1, 2020, in the United States, (three years after the liability shifts for ATMs in the United States) fuel merchants are now under extreme pressure because time is running out to make the switch to EMV technology. 


Blog post by Dr. Ulrich Scholten

To find more press releases related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.





      Download via e-mail