Fraud Overview

Summary

Based on the increased customer service calls RPG received in the month of May, it was determined that there was an ​extraordinary amount of unauthorized redemption activity occurring on Shell Gift Cards.

Activity review determined strongest area of unauthorized redemption activity was centered around the Los Angeles area, but as mitigation steps were taken, locations began to expand.

Upon deeper review, we identified unauthorized redemption activity on both Fiserv and Shift4 card numbers, including digital. Unauthorized access to Fiserv card PIN numbers also appears to be included in this activity.

Details

Check Balance

Suspicious balance inquiry attempts on RPG website with valid PINs on both Fiserv and Shift4 BINs (RPG and Shift4 check balances are currently shut down). 

  • Before shutting down check balance, 82% of suspicious balance checks were successful on the first attempt (both Fiserv & Shift4 BINs).
  • Shift4 BIN balance checks were successful 79% for a total of 1,900 out of 2,400 attempts.
  • On a 4-digit PIN, there is a 1 in 9,999 chance of guessing the PIN correctly. This tells us they aren’t guessing the PIN number. They are in possession of it as it is impossible to consistently beat those odds when guessing.
  • Shift4 puts the card in a frozen status after 5 or more invalid PIN attempts with 5 minutes. We discussed changing to 3 once check balance is turned back on.

Redemption Activity

High level summary of suspicious redemption activity occurring from the new Shift4 BIN. Information is through May and remains fluid.

Corporate

  • Physical: Shift4 BIN recently launched, too early for assessment
  • Digital: 51 known cards

Consumer

  • Physical: Shift4 BIN recently launched, too early for assessment
  • Digital: 12 known cards

3rd Party - BHN

  • Physical: 3 know cards
  • Digital: ​Shift4 BIN recently launched, too early for assessment

3rd Party - InComm

  • Physical: ​Shift4 BIN recently launched, too early for assessment
  • Digital: ​Shift4 BIN recently launched, too early for assessment

Shell Dealers

  • Physical: ​Shift4 BIN recently launched, too early for assessment

Card Security Comparison

It appears the 19th digit in the new Shift4 card sequence is generated by Luhn Algorithm like the legacy Fiserv card. 

  • Luhn Algorithm can be figured out simply by pasting bulk card numbers into free online software or an Excel spreadsheet.
  • As a results, these leaves a 1 in 10 chance to guess the middle validation digit.

Action Taken

RPG access to additional Shift4 Data

Shift4 has denied the request

RPG has requested that Shift4 increase our access to card activity on the gift card portal. The ability to see invalid attempts and the full picture of activity will help us identify root cause of suspicious check balance activity. 

Shift4 to Freeze Inactive Card if Redemption Attempt

Complete

RPG identified that there is no rule in place through Shift4 to freeze a card if a redemption attempt occurs on a card that has never been activated.  This was a legacy fraud rule in place since 2016 on Fiserv at the recommendation of RPG.

RPG continues to work with Shift4 on the enablement of this rule.

  • Rule was implemented within Shift4 on May 12.
  • Rule is set up to fire after 2nd redemption attempt. No option to freeze a card after 1st redemption attempt per Shift 4.
  • Still in testing phase, awaiting confirmation of rule details from Shift4 based on RPG testing. Email sent to Shift4 6/23.

New Rule: Redemption <$1 Freeze Card

Complete

The <$1 Rule and removing LA market has slowed down the fraudulent redemptions.  More than 50% of the cards placed on hold due to the <$1 have been confirmed as fraudulent redemptions.  Initial results showed the <$1 Rule helped to identify over 1,700 confirmed compromised cards. 

Current status: Rule is working, however bad actors are adapting.

Temporarily Shut Down Los Angeles Region

Complete

Due to extremely fraud attempts being conducted at Shell locations in the LA region, 491 Shell sites were shutdown from allowing gift card transaction. This remained in effect for 14 days.

Current status:  LA sites were turned back on Monday, June 16. 

Websites Check Balance Shutdown

Complete

RPG experienced bot attempts on the Check Balance on our website.  On June 4, RPG and Shift4 shutdown check balance functionality from the websites.

Current status:  Check balance functionality is still turned off.

Request from CMSPI (07/02/25)

I (Jake) have spoken to our Fraud Team, and they provided me with some data points that we would need from RPG and/or GiveX to assist you with the current gift card issue. We believe we can get started with the following data points:

  • All balance checks/transfers for the past three months. All non-PII (personally identifiable information for these transactions). 
  • All redemptions for $2 or less for the past three months. All non-PII (personally identifiable information for these transactions).

From Lauren (07/02/25)

CMSPI is going to be assisting with analyzing our BIN range to try and identify a pattern that could tell us what portion of the range is impacted. This is the initial information they are requesting, but I anticipate there might be additional asks as they work through the data. I’ve asked them to share their preference on how to securely transfer the data and we can discuss during today’s meeting.

Recommendations / Requests

RPG Recommendations

RPG access to addition Shift4 Data

When Shift4 grants RPG the requested access, RPG will dig into known cards that have been stolen. We will be looking for invalid PIN attempts on these cards and any other trends.

  • If the Shift4 data confirms there have not been invalid attempts, that would further suggest that the PINs are known/compromised (fraudsters cannot guess a 1 in 9,999 number on the first try).
  • In this scenario, all cards in production should be considered as “at risk” (same BIN, same card sequence, etc.).
  • The root cause of how these PINs were known needs to be identified/addressed prior to creating new cards (the open gap could still be active).

PIN Requirement for Redemption

RPG recommends that Shell require PIN validation at the pump for redemption

  • Even if card sequences are known, fraudsters would not be able to make a redemption without knowing the PIN. This will make Shell less vulnerable to this type of activity.

Track 2 Data

Review track 2 data configuration to improve/add additional security to redemption process. 

  • Track 2 data can act similar to a PIN without adding friction at the pump.
  • Shift4 is already receiving Track 2 data so the infrastructure is in place.
  • Fiserv utilized Track 2 data, Shift4 does not.

Explore Other Viable Solutions

Explore other viable solutions, potential backend data configuration – as example create a 21 digital BIN for the Master card in App.

Strategic Solutions from Shift4

Continue to encourage Shift4 to provide strategic solutions.

  • As example, digital cards - fulfill orders with random card number vs. next in batch. RPG will need to confirm their current process to see if this is option.

Physical Gift Card Production

WestRock Card Manufacturing has been the single source for all physical Shell Gift Card production. Shell cards were produced at their Woodridge, IL location. In addition to Shell – Amazon, Google, Apple, Target, Best Buy, and Home Depot, to name a few are manufactured at this location. WestRock also has plants in Dallas, TX and Guangzhou, China.

  • Artwork: RPG provides approved card artwork to WestRock.
  • Data Request: RPG places various data orders with Shift4 (based on channel requirements) see below.
  • Redemption Data: Shift4 sends card redemption data directly to WestRock via SFTP.
  • 3rd Party Activation Data: BHN and InComm send card activation data directly to WestRock via SFTP. WestRock merges activation/redemption data for 3rd party production.
  • Printer Data Storage: Data sits at rest on a secure server in encrypted state. 
  • Card Production: Files sent directly from server to machine for production.

RPG submitted data requests to Shift4:

  • InComm Data Order Request – 12/19/24
  • BHN Data Order Request – 12/19/24
  • Shell Dealer Data Order Request – 02/28/25
  • RPG Corp Data Order Request – 04/11/25

Digital Card Production

Digital Shell eGift Cards launched August 2023. Digital Shell eGift Card numbers are all produced and stored with Shift4. Digital card distribution to recipients goes directly from Shift4 to recipient via unique link in recipient email that provides access to their card number and PIN.

  • RPG is not included or receives any of these emails/files.

For B2B customers requesting bulk order, Shift4 sends an excel file via email directly to the B2B customer.

  • RPG is not included or receives any of these emails/files.

Physical Gift Cards

RPG has access to card numbers but no access to other card data including PIN. Consumer Physical Order Process (high-level):

  • Upon completed (paid) order on website, RPG fulfills order with in-house inventory. 
  • RPG ships inactive physical cards USPS and FedEx.
  • RPG monitors FedEx deliveries and activates cards via Shift4 portal after shipment upon delivery. USPS orders are activated within 1-2 business days.

B2B Physical Order Process (high-level):

  • Upon completed (paid) order, RPG fulfills B2B physical orders with in-house inventory. 
  • RPG ships inactive physical cards via FedEx, UPS, and USPS to B2B customers.
  • RPG monitors FedEx deliveries and activates cards via Shift4 portal after shipment upon delivery. USPS orders are activated within 1-2 business days.

Digital eGift Cards

RPG has access to card numbers via Shift4 portal, but no access to other card data including PIN. RPG is not included nor receives any emails/files with card numbers or data.

Consumer Digital Order Process (high-level):

  • Upon completed (paid) order on website, Shift4 sends recipient an email that contains a unique link that provides access to their card number and PIN (on browser). 

B2B Digital Order Process (high-level):

  • Upon payment, RPG triggers the delivery via Shift4 portal – bulk or individual fulfillment.  
  • For B2B individual fulfillment, Shift4 distributes card directly to recipient via an email that includes a unique link that provides access to their card number and PIN.
  • For B2B bulk fulfillment, Shift4 sends an excel file via email directly to the B2B customer.

Questions for Shift4

  • What fraud activity has Shift4 seen on their check balance? 
  • What backend fraud service support does Shift4 have?
  • From processor experience, what solutions can Shift4 offer based on what appears to be a new BIN that has been comprised? 
  • Is an algorithm utilized to generate the variable digit in the new 19-digit card?
  • Is the algorithm utilized to generate the PIN on the new 19-digit card?

Action Requests for Shift4

  • Provide recommendation solutions to support fraud. 

Questions from Shell

Q: Is there any correlation to the legacy cards being mapped to Shift4 card numbers in the system (that started in Oct/Nov) and could this mean it’s the ​Shift4 BIN primarily impacted, or did we see this type of fraud prior to any mapping to the ​Shift4 range?

A: For clarity, legacy card numbers are not mapped to Shift4 card numbers.  Shift4 received legacy card numbers from Fiserv and remain as Fiserv numbers.

Historically there have been scenarios where card numbers are figured out based on the cards being sequential.  This involved guessing the check digit.  Back in 2016 there were fraud rules implemented on the Fiserv end to help mitigate card testing at the pump, along with enhancements to the RPG balance inquiry page.  Together, these enhancements deterred the majority of card testing attempts.  It would be virtually impossible to test card numbers on the RPG site unless the PIN was known.  Based on our knowledge/analysis, the difference now is fraudsters seem to know the PINs.  Historically (prior to Shift4), this was not something we saw.  

Q: For bulk orders, are we able to ship inactive and have primary recipient call/email to activate on receipt of shipment? If ​Shift4 has implemented a preventative measure to mitigate fraud on inactive gift cards, could this help?

A: ​For bulk orders, RPG has always had a unique process to avoid in-transit fraud on our shipments.  RPG ships cards inactive and activates upon delivery. We are integrated with FedEx automated tracking to monitor the progress of shipments and activate the cards after shipments have been delivered.

Reporting

Customer Service

SGC Customer Care Team service support increases between April - June*

Channel Increased By June Numbers Monthly Average
Customer Care Tickets 699.09% 2,661 321
Balance Error/Adjustment 211.62% 750 160
Redemption Assistance 228.44% 3,150 715
Balance Inquiries by Phone 64.72% 12,229 9,393

*Through June 28.

SGC Physical Inquiries supported by Digital Care Team between March - May

  • Calls routed through the IVR to digital card support but actually related to physical card inquiries increased by 143%. 

Replacements - Unauthorized Transactions

January $7,465
February $11,001
March $100,848
April $36,156
May $113,705
June (thru 6/25) $439,808

B2B Sales Impact

RPG is working closely with customers who have been impacted to date. 

This is ongoing and impact is to be determined.