fuel pumps

Unravelling card payment in retail fuel operations

During a SHARE/GUIDE member-sharing session, General Manager of IT and Card Services, at Boustead Petroleum Marketing or BPM, Wong Voon Pui took the audience on a trip down memory lane from the time when car owners pay for petrol over the counter, all the way to today’s current payment methods.


According to Voon Pui, one of the earlier observations from their retail fuel operations (branded as BHPetrol currently) was that card fraud at retail petrol stations were very high.

Voon Pui added that BHPetrol, or BP at that time, had put in a central frequency control, reducing the occurrence of card fraud at their own retail operations.

To further understand card payments in the retail fuel industry, as well as the evolution of card payments for this industry, it requires a look at PCI-DSS (Payment Card Industry Data Security Standard) and EMV, two standards that according to Voon Pui, were created by Europay, Mastercard and Visa.

The EMV standard is currently managed by a consortium of financial companies that is called EMVCo. EMV cards are smart cards that can store data on integrated circuit chips, and be backward compatible with older cards that used magnetic stripes.

Before the contactless method that we see today, these cards were inserted into reader or terminals, and they had to be authenticated before the transaction can be approved. Authentication methods included keying in a personal identification number or a digital signature.


Voon Pui gave an example to illustrate the roles that each standard plays for the a retail fuel operator like BHPetrol. “When it comes time to pay for your fuel at the station, you can use your EMV-based card to be processed by a payment terminal.

“But, that payment terminal has to be PCI-DSS certified. The same goes for the software being used by the whole system, as well as the integration process and method,” Voon Pui said.

PCI-DSS is part of EMV requirements. So, EMV cards, equipment that process EMV cards, as well as systems and encryption requirements, must comply with PCI-DSS.

But before the introduction of the EMV standard in 2004, magnetic stripes in cards were used to store account data. Magnetic stripes were very easy to forge, and led to many cases of card frauds at petrol stations.

This went on till the regulator, Bank Negara Malaysia, stepped in and mandated the use of EMV cards.

Securing payments

Voon Pui described PCI-DSS as being very vast and complex. We’ve seen from the example above that hardware, software, and even integration need to comply with PCI-DSS.

He also observed, “I have yet to come across one party that can encompass all the aspects that PCI-DSS requires for card payments.

There are 12 requirements to comply with PCI-DSS, which you can quickly read more about here. 

What’s next? Contactless

Having chalked up the experience of deploying outdoor payment terminals (OPT), Voon Pui shared his view of payment trends moving forward.

For example, he said “Contactless payments is the future. We have to believe this is the way to go, hence we put a lot of effort into this.”

This is where we take a step back to look a little further into what contactless payments mean.  We already know of using cards to make payments; we may just wave it at a payment terminal to make payment.

But the phone, and other wearables like watches are also conduits for contactless payment, according to Voon Pui.

Using RFID or NFC, and combined with technologies like QR codes, customers need only to scan a QR code to make payments. However, QR code technology is not governed by PCI-DSS, which makes the whole process rather tricky to secure.

For now, the card is a very popular conduit or medium to use, and BHPetrol has enabled their payment terminals to accept contactless methods.

That said, Voon Pui finds that some consumers still prefer pressing their PIN number when using their payment cards,because they do not trust the contactless method.

“This is due to lack of awareness and education (about how contactless payments are processed),” he observed.

The contactless card process targets fast and small amount transactions, so card transaction amounts above RM250 still requires the cardholder to input PIN to authenticate the transaction.

Why is contactless secure?

The terminal that processes EMV contactless cards is required to be certified by PCI-DSS, and each terminal is injected with the acquiring bank’s encryption key, and respective merchant information.

Each bank has its own unique encryption key, so a payment terminal will send information that remains encrypted if it is sent to the wrong bank. If payment information cannot be decrypted, then the payment cannot be transacted.

In addition, the acquiring bank only reimburses card charges to the merchant bank, as per earlier registered information. Ie. Information about merchant bank must already be in the acquiring bank’s system.

Voon Pui pointed out, “The bank has very stringent control process to ensure only registered and approved merchants get the terminal and that it is injected with the right encryption key and respective merchant details.”

He also adds that the EMV contactless card payment process is very secure and it is a proven payment process that has been used worldwide for many years.

The contactless payment usage in developed countries is as high as 85-percent but in Malaysia, contactless payment usage is between 40- to 50-percent only, he said.

Voon Pui stated his opinion that contactless card payment is actually very secure, and in fact BHPetrol has been working with Visa and Mastercard to promote contactless payment usage.

For example, BHPetrol collaborates with Affin Bank to create a co-branded Mastercard with contactless capability that enables the holder to enjoy 2-percent fuel rebate.

Rewarding customers

BPM had also recognised the challenges of using loyalty cards. The solution they came up with, called for the use of mobile phones again, which is ironic because laws disallows its use in the petrol pump area, which is also known as the forecourt.

The company wanted something else besides a physical card, that could be instantly issued and immediately start earning their customers loyalty points upon them signing up.

The solution to this was a mobile app which addressed all these challenges as well as saved administrative time, administrative cost, material cost, as well as is environmentally friendly.

This was a huge step forward considering the use of mobile phones is not encouraged at petrol stations’ forecourt areas.

Moving forward, Voon Pui expressed his hope that the mobile app will deliver/enable motor-related information, services, and even insurance, in the future.

Since its soft launch in late December, the app has achieved over 40,000 downloads, according to Voon Pui.

Boustead Petroleum Marketing or BPM, sells petrol and similar products like diesel and liquefied petroleum gas (LPG) as well as related products such as lubricants. According to Boustead Holdings’ annual report for FY2018, BPM operates as many as 400 petrol stations and convenience marts.