The hack doesn't appear to affect more secure chip cards, but many of the service stations haven't replaced card readers at the pumps yet. The data is apparently sent in an unencrypted form to the vendor's main network, where the thieves have figured out how to intercept it. The other problem is that the POS systems aren't firewalled off from other, less critical parts of the network, allowing thieves to gain lateral access once the network is breached.

There's not much cardholders can do to avoid the attacks, but Visa has advised fuel merchants to encrypt data while it's transferred or support chip-equipped cards. "Fuel dispenser merchants should take note of this activity and deploy devices that support chip [cards] wherever possible, as this will significantly lower the likelihood of these attacks," it advised in the December security alert.

Earlier this year, Visa announced that fuel merchants must deploy chip readers by October 2020. After that, any service stations without the new tech will be liable for any fraud. The problem is, many such businesses have very old technology and must replace the entire pump at an estimated cost of up to $250,000 per station. Spread across all the convenience stores in the US, the total hit has been estimated at around $22.5 billion on the very high end.

Update 12/17/2019 6:14 PM: Visa has clarified that it's the presence of a chip that makes cards more secure, not the PIN code. The post has been updated with the correct information.