Back
After more than two decades in the payments industry, I’ve grown accustomed to the industry’s familiar cycle: innovation, vulnerability, exploitation, remediation... then back to innovation.
The pattern felt very real last month as I stood in the rain outside a South‑London car park watching a driver wrestle with an EV‑charging pedestal. After several futile taps, he unplugged and drove away.
Was it a glitch, or an early‑stage security control doing its job a little too well? Either way it reminded me that EV charging is now where card payments were 20 years ago–growing fast, full of promise, and riddled with avoidable security gaps.
So, what exactly makes an unattended charger such an attractive target? To answer that, we first need to dissect the threat surface.
Why your EV charger is a fraudster's dream
EV charging stations aren't just vulnerable–they're practically irresistible to those with criminal intent.
These machines blend payment processing with energy distribution, all while sitting unguarded at odd hours in poorly lit car parks. Even veteran security professionals struggle with this perfect storm of vulnerabilities.
Unlike the petrol station with its cameras and attendants, EV chargers typically operate without human oversight. Many charging stations I've inspected feature outdated hardware running unpatched software.
When researchers tested 16 commercially deployed charging systems last year, they discovered half contained exposed services, the digital equivalent of leaving your front door wide open. SSH and HTTP protocols are accessible to anyone who takes the time to look.
My clients repeatedly encounter these issues:
- Terminal enclosures that don't adequately protect internal components
- Maintenance schedules prioritising uptime over patching
- Payment systems deployed with minimal security testing
- Staff responsible for installation with zero security training
Those cracks in the armour invite a far more sophisticated criminal than the skimmer of old. Let’s examine how modern fraudsters operate.
Today's fraudsters are smarter than you think
Gone are the days when card skimming was the primary concern. Modern attackers employ sophisticated, multi-vector approaches that target both physical and digital vulnerabilities.
One Australian charging network, Evie Networks, recently implemented new payment security protocols after experiencing significant fraud losses. They described the situation bluntly as equivalent to "filling a car with petrol and driving away without paying"
In my security reviews, I'm encountering these emerging tactics:
- Tampered QR codes that route customers to spoofed payment sites—a trend known as “quishing”
- Cable theft for copper. Seattle drivers lost at least 100 charging cables to thieves in a single 12‑month span
- Trojanised mobile apps & screen hacks that deface chargers or siphon credentials
- Relay attacks that intercept and alter authorisation messages between the charger and the back‑end
Alarmingly, many charger‑linked apps still include insecure authentication and payment flows that brick‑and‑mortar retailers solved years ago.
Defending against that widening attack surface calls for controls that are both proven and practical, starting with five fundamentals that every operator can deploy today.
My own experience with fraud prevention goes back to the earliest stages of chip and PIN. I delivered the world’s first chip and PIN solution, which eliminated card skimming fraud.
In technical terms, this was the first ever EMV Level 2 Kernel.
Most leading UK retailers initially adopted it in early trials and went on to become the UK’s most widely adopted chip and PIN solution in tier 1 retail.
Since then, Polar Moment has remained at the forefront of the payments security industry, working with some of the world’s leading fraud prevention companies. Today, we partner with We Fight Fraud to continue the fight against fraudsters who seek to win.
5 pragmatic security measures that work
Despite these challenges, I'm not entirely pessimistic. Working alongside payment engineers and security specialists, I've seen practical approaches that significantly improve security posture without breaking budgets or alienating customers.
Your charging network needs these baseline protections:
1. Point‑to‑Point (End‑to‑End) Encryption: Use PCI‑listed P2PE solutions so card data is encrypted from the customer interface to the acquirer, removing clear‑text data entirely.
2. Tokenization: Replace card data with meaningless tokens so any breach yields nothing of value; Juniper Research predicts tokenised transactions will exceed one trillion by 2026.
3. Network segregation: Keep payment traffic completely separate from charger‑control traffic; PCI DSS explicitly “strongly recommends” segmentation to shrink the card‑data environment.
4. Physical hardening: Robust enclosures, tamper-evident seals, and intrusion alarms dramatically raise the bar for would-be skimmers.
5. Routine security testing: Treat penetration tests and code reviews as operational necessities, not box‑ticking exercises. In IBM’s 2024 Cost of a Data Breach study, the average incident cost was USD 4.88 million, far more than periodic testing budgets.
When discussing security budgets with charging network operators, the resistance is often financial.
However, the reality is straightforward: comprehensive security measures aren't optional. The cost of remediating a single significant breach typically exceeds multi-year security budgets.
Next-generation approaches worth watching
Despite my inherent caution regarding "revolutionary" security claims, several emerging technologies show genuine promise:
- Vehicle‑bound certificates (PKI). Public‑key certificates provisioned to the car itself shift authentication into hardware that is hard to clone or spoof.
- Smartphone biometrics. Fingerprint or facial recognition can authorise payment without exposing card data, provided privacy is handled carefully.
- Anomaly detection. Machine‑learning models that baseline normal behaviour across thousands of chargers can flag outliers in real time; recent research demonstrates the detection of adversarial behaviour in individual charging sessions.
These technologies aren't silver bullets (nothing ever is in security), but they address fundamental weaknesses in current approaches.
But no tool, cutting‑edge or conventional, will be funded or maintained unless leadership sees the commercial upside. That brings us to the numbers that really matter.
Security is a business decision, not just technical
Throughout my career, I've observed that organisations viewing security purely as a technical burden inevitably fail to protect themselves adequately. Those treating security as strategic business infrastructure fare considerably better.
Consider the customer confidence impact of security breaches. As one industry report noted, fraud prevention must strike "a balance between security and user experience that is within your comfort zone"
These questions transform security from abstract technical requirements into concrete business considerations with measurable impacts.
So, where should merchants look for a ready‑made framework that turns these principles into day‑to‑day reality? Planet offers a powerful case study.
Planet's security framework for unattended charging
During numerous client engagements, I've evaluated various payment security solutions. Planet stands out for their particularly thorough approach to securing unattended environments like EV charging networks.
Their framework addresses several persistent challenges:
- Cross-channel security visibility enables comprehensive monitoring across physical and digital transactions. This holistic perspective helps identify sophisticated attack patterns that might otherwise go undetected when examining individual channels in isolation.
- Tokenization deployment effectively removes sensitive data from vulnerable endpoints, a critical consideration for terminals in exposed locations. This approach renders stolen information essentially worthless to attackers.
- Authentication flexibility varies security requirements based on contextual risk factors, minimising friction for legitimate transactions while establishing appropriate barriers for suspicious ones."
I've been particularly impressed by Planet's practical approach to international payment operations. Their experience in managing cross-border transactions for global merchants translates effectively to EV charging networks that are increasingly spanning national boundaries.
While visiting one of their client implementations last quarter, I observed their system correctly identifying and blocking a potentially fraudulent transaction that displayed subtle anomalies other systems might have missed. This real-world effectiveness demonstrates the value of their specialised expertise in unattended environments.
The road ahead
The transition to electric vehicles represents a generational infrastructure shift. The security foundations established during this early deployment phase will significantly influence both consumer confidence and operational viability as the sector matures.
For charging network operators, payment security should be a competitive advantage rather than a compliance burden. Those implementing thoughtful, comprehensive security now will gain customer trust while avoiding the operational disruptions that inevitably follow security incidents.
Implementing effective security during this critical growth phase isn't just about preventing problems—it's about building the foundation for a trusted, sustainable EV infrastructure that can support our transition to electric mobility for decades to come.
When discussing security budgets with charging network operators, the resistance is often financial.
Stay in English