Payment Technology Security

Best Practices to Prevent Skimming

We want to ensure you have access to the latest technology and keep your customer's data secure.

  • Be familiar with the inside of dispensers and POS equipment inside the store
  • Conduct daily inspections of all POS equipment
  • Lock and secure POS terminals and server boxes
  • Utilize security tape over the CRIND doors on all dispensers
  • Control access to all POS terminals
  • Use video surveillance cameras
  • If you detect a skimming device at your location:
    • Contact your CITGO gasoline supplier and the CITGO payment card operations manager ( and provide your 8-digit CITGO location number, address, city, state and ZIP code
    • Shut down the dispenser or POS device and place an “Out of Service” sign on it
    • Save all security video and take pictures of the device dispenser
    • Contact your local law enforcement and provide them with a copy of the receipt from the last transaction

Additional Information

Payment Card Industry (PCI) Data Security Standard (DSS)

All CITGO locations transmitting on the CITGO Payment Card Network must have:

  • POS software and hardware components that meet the most current PCI PA-DSS (Payment Application Data Security Standards) or PCI SSF (Software Security Framework)
  • Policies and procedures in place to pass current PCI DSS for merchants
  • Installation and current use of a PCI DSS compliant firewall/MNSP device and service from a CITGO-authorized firewall service provider as listed in MarketNet
  • Segment cardholder data and sensitive data from other systems - including the main office or remote access to the POS and/or fuel dispensers
  • Logging and tracking of all internet traffic connected to POS equipment and using the same internet connection as the POS. Consider enhanced or “smart” logging to identify threats to multiple systems from multiple sources. Contact your firewall provider for more details
    • Protect corporate data as if it was payment card data to avoid a security attack and paying ransomware in digital currency to decrypt your files. Enable Multi-Factor Authentication (MFA)
    • Physically secure all devices and hide access to plugs/ports with payment card information to avoid physical attacks through POS and PIN Pad fraudulent overlays and skimmers
    • Use strong passwords and change system default passwords in the POS, PIN Pads, Fuel/Site Controller, Electronic Payment Server, Fuel Dispensers, etc.
    • Only use/allow remote access when absolutely needed and require multi-factor authentication for access. Disable when not in use.
  • Passing quarterly external scans by a PCI Authorized Scanning Vendor (ASV)
  • PIN Pads that meet current PCI PTS (Payment Card Industry PIN Transaction Security) requirements as indicated in the POS Approved Systems matrix in MarketNet. All inside PIN Pads must accept PIN debit cards and be Contactless capable for EMV contactless (tap & pay) transactions.
  • Monthly tracking of all equipment, by serial number, that contains cardholder data to ensure equipment has not been compromised (e.g., PIN Pads, POS, Electronic Payment Server (Gilbarco EDH, NCR EPC5), Fuel Controller, etc.)
  • Monthly tracking of anti-virus software to ensure it is in place and set up for proper monitoring and mitigation of viruses and malware on all systems, including back office PC's, tank monitoring, etc.

Proof of PCI Compliance

CITGO Retailers are required to validate and be able to show proof of annual PCI DSS compliance. Here's how:

PCI icons

Additional Information

Suspected or Confirmed Data Breach?

  1. Email
  2. Contact CITGO IT Support Center: 832-486-HELP (4357) Staffed 24/7
  3. Indicate that you've had a data breach at a retail location