Fraud Overview

12/25 - Updated Summary

Over the past several months, ongoing monitoring of station-level activity has allowed us to identify patterns of unauthorized use and implemented ways to intervene. Based on these findings, we were able to temporarily shut down select locations or enforce targeted redemption restrictions, both of which significantly reduced improper activity. 

More recently, recovering portions of the missing Fiserv CVD data and integrating it within Shift4's database has proven the strength in verification controls, enabling us to secure transactions and significantly reduce unauthorized redemptions.

We continue to support impacted consumers and closely monitor redemption activity each day to quickly disrupt emerging patterns. In parallel, RPG is actively engaging with affected B2B customers to resolve their concerns and reinforce confidence in the program. WE are committed to retaining every customer and demonstrating the strength of our partnership as well as our shared commitment to security and service.

07/25 - Based on the increased customer service calls RPG received in the month of May, it was determined that there was an ​extraordinary amount of unauthorized redemption activity occurring on Shell Gift Cards.

Activity review determined strongest area of unauthorized redemption activity was centered around the Los Angeles area, but as mitigation steps were taken, locations began to expand.

Upon deeper review, we identified unauthorized redemption activity on both Fiserv and Shift4 card numbers, including digital. Unauthorized access to Fiserv card PIN numbers also appears to be included in this activity.

Details

12/25 Check Balance

Balance check security enhancements on the consumer website.

  • Encrypted cart.
  • Instituted Auth Token on Reload, Check Balance , Purchase (requires an account in order to check balance or Reload).
  • Added an email validation to confirm the email exists prior to account creation.

07/25 Check Balance

Suspicious balance inquiry attempts on RPG website with valid PINs on both Fiserv and Shift4 BINs (RPG and Shift4 check balances are currently shut down). 

  • Before shutting down check balance, 82% of suspicious balance checks were successful on the first attempt (both Fiserv & Shift4 BINs).
  • Shift4 BIN balance checks were successful 79% for a total of 1,900 out of 2,400 attempts.
  • On a 4-digit PIN, there is a 1 in 9,999 chance of guessing the PIN correctly. This tells us they aren’t guessing the PIN number. They are in possession of it as it is impossible to consistently beat those odds when guessing.
  • Shift4 puts the card in a frozen status after 5 or more invalid PIN attempts with 5 minutes. We discussed changing to 3 once check balance is turned back on.

07/25 Action Taken

RPG access to additional Shift4 Data

Shift4 has denied the request

RPG has requested that Shift4 increase our access to card activity on the gift card portal. The ability to see invalid attempts and the full picture of activity will help us identify root cause of suspicious check balance activity. 

Shift4 to Freeze Inactive Card if Redemption Attempt

Complete

RPG identified that there is no rule in place through Shift4 to freeze a card if a redemption attempt occurs on a card that has never been activated.  This was a legacy fraud rule in place since 2016 on Fiserv at the recommendation of RPG.

RPG continues to work with Shift4 on the enablement of this rule.

  • Rule was implemented within Shift4 on May 12.
  • Rule is set up to fire after 2nd redemption attempt. No option to freeze a card after 1st redemption attempt per Shift 4.
  • Still in testing phase, awaiting confirmation of rule details from Shift4 based on RPG testing. Email sent to Shift4 6/23.

New Rule: Redemption <$1 Freeze Card

Complete

The <$1 Rule and removing LA market has slowed down the fraudulent redemptions.  More than 50% of the cards placed on hold due to the <$1 have been confirmed as fraudulent redemptions.  Initial results showed the <$1 Rule helped to identify over 1,700 confirmed compromised cards. 

Current status: Rule is working, however bad actors are adapting.

Temporarily Shut Down Los Angeles Region

Complete

Due to extremely fraud attempts being conducted at Shell locations in the LA region, 491 Shell sites were shutdown from allowing gift card transaction. This remained in effect for 14 days.

Current status:  LA sites were turned back on Monday, June 16. 

Websites Check Balance Shutdown

Complete

RPG experienced bot attempts on the Check Balance on our website.  On June 4, RPG and Shift4 shutdown check balance functionality from the websites.

Current status:  Check balance functionality is still turned off.

12/25 UPDATE

Working closely with CMSPI to track fraud activity. 
 
CMSPI is receiving daily transactional data and using it to analyze patterns of usage to help guide targeted actions.

07/02/25 - Request from CMSPI 

I (Jake) have spoken to our Fraud Team, and they provided me with some data points that we would need from RPG and/or GiveX to assist you with the current gift card issue. We believe we can get started with the following data points:

  • All balance checks/transfers for the past three months. All non-PII (personally identifiable information for these transactions). 
  • All redemptions for $2 or less for the past three months. All non-PII (personally identifiable information for these transactions).

07/02/25 From Lauren

CMSPI is going to be assisting with analyzing our BIN range to try and identify a pattern that could tell us what portion of the range is impacted. This is the initial information they are requesting, but I anticipate there might be additional asks as they work through the data. I’ve asked them to share their preference on how to securely transfer the data and we can discuss during today’s meeting.

07/25 Redemption Activity

High level summary of suspicious redemption activity occurring from the new Shift4 BIN. Information is through May and remains fluid.

Corporate

  • Physical: Shift4 BIN recently launched, too early for assessment
  • Digital: 51 known cards

Consumer

  • Physical: Shift4 BIN recently launched, too early for assessment
  • Digital: 12 known cards

3rd Party - BHN

  • Physical: 3 know cards
  • Digital: ​Shift4 BIN recently launched, too early for assessment

3rd Party - InComm

  • Physical: ​Shift4 BIN recently launched, too early for assessment
  • Digital: ​Shift4 BIN recently launched, too early for assessment

Shell Dealers

  • Physical: ​Shift4 BIN recently launched, too early for assessment

07/25 Card Security Comparison

It appears the 19th digit in the new Shift4 card sequence is generated by Luhn Algorithm like the legacy Fiserv card. 

  • Luhn Algorithm can be figured out simply by pasting bulk card numbers into free online software or an Excel spreadsheet.
  • As a results, these leaves a 1 in 10 chance to guess the middle validation digit.

Recommendations / Requests

12/25 - Shift4 Items

List of items Shift4 is lacking and currently working through enhancing/developing:

  • Inability to complete full fraud reviews due to lack of information or system set-up within Shift4.
  • Original activations for 3rd party gift cards do not include activation location information *was told to obtain this information from InComm and BHN through their reporting, not available from Shift4
  • Previously we would be able to see what grocery/retail store activated a card within the card's history.
  • Any cards put into a fraud, dead, or cancelled status are not included in any reporting, status omits them *still a work in progress, RPG to provide list of all reports we want to include fraud status and/or other statuses.
  • RPG is unable to determine total number of cards that have been labeled as fraud within Shift4.
  • Any cards put into a fraud, dead, or cancelled status are unable to be reverted back or have any comments/notes added *we will never be able to revert back card status, but there is a short term work around available to add a comment, but only under the Shell Oil merchant profile.
  • RPG should always have the ability to undo any action and should always be able to add notes or memo to a card number despite its status
  • Any declined transactions do not appear within transaction history *no update. Shell supported the need and even mentioned this item was worth development. 
  • Previously we would see the failed transaction and why it failed. Ex. declined due to insufficient funds
  • Without visibility we are unable to troubleshoot and provide service to cardholders/Dealers/Shell Support teams
  • Not customer service related, but a major impactful item to our day-to-day operations - RPG has to activate all Shell orders manually by keying in ranges or building files for upload. *still a work in progress, RPG and Shift4 to reconvene in the coming weeks to revisit and work on testing script solution. 
  • Shift4 had assured us that API activations would be available using only the serial number. However, when we began the activation process, we learned that wasn’t feasible, and we’ve been manually managing activations ever since the transition.
  • Elana mentioned she may have a solution, but we haven’t received one yet. We’re reaching a point where we can’t sustain the current setup through Q4, especially with the replacement backlog we’ll be working to clear quickly.

RPG Recommendations

07/25 - RPG access to addition Shift4 Data

When Shift4 grants RPG the requested access, RPG will dig into known cards that have been stolen. We will be looking for invalid PIN attempts on these cards and any other trends.

  • If the Shift4 data confirms there have not been invalid attempts, that would further suggest that the PINs are known/compromised (fraudsters cannot guess a 1 in 9,999 number on the first try).
  • In this scenario, all cards in production should be considered as “at risk” (same BIN, same card sequence, etc.).
  • The root cause of how these PINs were known needs to be identified/addressed prior to creating new cards (the open gap could still be active).

07/25 - PIN Requirement for Redemption

RPG recommends that Shell require PIN validation at the pump for redemption

  • Even if card sequences are known, fraudsters would not be able to make a redemption without knowing the PIN. This will make Shell less vulnerable to this type of activity.

07/25 - Track 2 Data

Review track 2 data configuration to improve/add additional security to redemption process. 

  • Track 2 data can act similar to a PIN without adding friction at the pump.
  • Shift4 is already receiving Track 2 data so the infrastructure is in place.
  • Fiserv utilized Track 2 data, Shift4 does not.

12/25 - Track 2 Data UPDATE

RPG worked to get any available CVD data from printer files. 38M of 56M cards produced since the beginning of 2018. Continuing efforts underway to gain access to older produced cards via Fiserv.

Shift 4 developed Track 2 CVD data for all new card production, Shell has tested and cards are in production.   

07/25 - Explore Other Viable Solutions

Explore other viable solutions, potential backend data configuration – as example create a 21 digital BIN for the Master card in App.

07/25 - Strategic Solutions from Shift4

Continue to encourage Shift4 to provide strategic solutions.

  • As example, digital cards - fulfill orders with random card number vs. next in batch. RPG will need to confirm their current process to see if this is option.

07/25 - Physical Gift Card Production

WestRock Card Manufacturing has been the single source for all physical Shell Gift Card production. Shell cards were produced at their Woodridge, IL location. In addition to Shell – Amazon, Google, Apple, Target, Best Buy, and Home Depot, to name a few are manufactured at this location. WestRock also has plants in Dallas, TX and Guangzhou, China.

  • Artwork: RPG provides approved card artwork to WestRock.
  • Data Request: RPG places various data orders with Shift4 (based on channel requirements) see below.
  • Redemption Data: Shift4 sends card redemption data directly to WestRock via SFTP.
  • 3rd Party Activation Data: BHN and InComm send card activation data directly to WestRock via SFTP. WestRock merges activation/redemption data for 3rd party production.
  • Printer Data Storage: Data sits at rest on a secure server in encrypted state. 
  • Card Production: Files sent directly from server to machine for production.

07/25 - Digital Card Production

Digital Shell eGift Cards launched August 2023. Digital Shell eGift Card numbers are all produced and stored with Shift4. Digital card distribution to recipients goes directly from Shift4 to recipient via unique link in recipient email that provides access to their card number and PIN.

  • RPG is not included or receives any of these emails/files.

For B2B customers requesting bulk order, Shift4 sends an excel file via email directly to the B2B customer.

  • RPG is not included or receives any of these emails/files.

07/25 - Physical Gift Cards

RPG has access to card numbers but no access to other card data including PIN. Consumer Physical Order Process (high-level):

  • Upon completed (paid) order on website, RPG fulfills order with in-house inventory. 
  • RPG ships inactive physical cards USPS and FedEx.
  • RPG monitors FedEx deliveries and activates cards via Shift4 portal after shipment upon delivery. USPS orders are activated within 1-2 business days.

B2B Physical Order Process (high-level):

  • Upon completed (paid) order, RPG fulfills B2B physical orders with in-house inventory. 
  • RPG ships inactive physical cards via FedEx, UPS, and USPS to B2B customers.
  • RPG monitors FedEx deliveries and activates cards via Shift4 portal after shipment upon delivery. USPS orders are activated within 1-2 business days.

07/25 - Digital eGift Cards

RPG has access to card numbers via Shift4 portal, but no access to other card data including PIN. RPG is not included nor receives any emails/files with card numbers or data.

Consumer Digital Order Process (high-level):

  • Upon completed (paid) order on website, Shift4 sends recipient an email that contains a unique link that provides access to their card number and PIN (on browser). 

B2B Digital Order Process (high-level):

  • Upon payment, RPG triggers the delivery via Shift4 portal – bulk or individual fulfillment.  
  • For B2B individual fulfillment, Shift4 distributes card directly to recipient via an email that includes a unique link that provides access to their card number and PIN.
  • For B2B bulk fulfillment, Shift4 sends an excel file via email directly to the B2B customer.

07/25 - Questions from Shell

Q: Is there any correlation to the legacy cards being mapped to Shift4 card numbers in the system (that started in Oct/Nov) and could this mean it’s the ​Shift4 BIN primarily impacted, or did we see this type of fraud prior to any mapping to the ​Shift4 range?

A: For clarity, legacy card numbers are not mapped to Shift4 card numbers.  Shift4 received legacy card numbers from Fiserv and remain as Fiserv numbers.

Historically there have been scenarios where card numbers are figured out based on the cards being sequential.  This involved guessing the check digit.  Back in 2016 there were fraud rules implemented on the Fiserv end to help mitigate card testing at the pump, along with enhancements to the RPG balance inquiry page.  Together, these enhancements deterred the majority of card testing attempts.  It would be virtually impossible to test card numbers on the RPG site unless the PIN was known.  Based on our knowledge/analysis, the difference now is fraudsters seem to know the PINs.  Historically (prior to Shift4), this was not something we saw.  

Q: For bulk orders, are we able to ship inactive and have primary recipient call/email to activate on receipt of shipment? If ​Shift4 has implemented a preventative measure to mitigate fraud on inactive gift cards, could this help?

A: ​For bulk orders, RPG has always had a unique process to avoid in-transit fraud on our shipments.  RPG ships cards inactive and activates upon delivery. We are integrated with FedEx automated tracking to monitor the progress of shipments and activate the cards after shipments have been delivered.

Reporting

California Fraud Replacements - Unauthorized Transactions

April ($36,156)
May ($113,705)
June ($584,086)
July ($505,820)
August ($409,850
September ($294,547)
October ($329,555)
November ($145,053)

B2B Sales Impact

RPG continues to analyze the impact of the fraud within the B2B channel.  We have seen fraud impact a portion of our customer base that represents a large volume of regular revenue.