Thanks to a tax fraud investigation last year, Illinois got the unhappy news that 27 percent of gas station operators had pocketed state and local sales taxes on gasoline over the previous four years. Some were bold enough to skim as much as $1 million a year.

Sales tax evasion a la skimming has been with us for a long time. Storekeepers turn off the register for a few transactions, and restaurants sometimes fail to count all the cash they take in. Ditto with gas stations. It takes a toll on the $226 billion a year in sales taxes collected.

That toll may be growing as a more sophiscated approach to skimming takes hold. It's done through tax zappers, which entails inserting a jump drive or memory stick into a cash register and running a software program that allows the retailer to pocket some of the sales taxes consumers have paid in an efficient and seamless way. Fighting back against zapping has become a crusade of sorts for Richard Ainsworth, a Boston University professor who specializes in sales taxes. Last year, Governing's Ryan Holeywell wrote about the zapper problem and Ainsworth's early attempts to alert states to the problem.

Since then, Ainsworth has written a new paper on the subject, An American Look at Zappers, in which he claims the U.S. lags behind most other countries in the pursuit of zapping. "Neither federal nor state auditors systemically target this area," he writes, adding that "this is changing, and the change is coming from the state side."

I caught up with Ainsworth to find out what states are doing about it and for an update on what states need to know about tax zapping. Below are highlights from our conversation.

On following the zapper trail: The real problem is not the manufacturer of the cash register, but the salesman or installer. They'll tell the retailer, "I can make this work for you so you don't have to record every sale. And when there are programming changes in this machine -- when Microsoft has to put in advances in the software -- I'll come out and re-do the zapper and make sure it works." If the zapper is really good, it will be almost impossible to find by a computer forensic person. In one sense, if I own a restaurant on Main Street and 10 restaurants nearby all have a zapper, I'll be out of business if I don't install it. If a fraud gets so significant in a marketplace, sometimes it's not completely the fault of the person who adapts later on. The installer is the problem.

On how to catch a thief: You could set up a sting. Take over a place where a restaurant has just closed and let it be known you're opening a new restaurant and buying all new equipment, including cash registers. Then you wait. New York did this four times. The results: 80 percent of [the cash register salesmen] coming in the front door were selling suppression devices. That gives you a rough measure of how infected the marketplace is. What happens is, they'll be so eager to show you how the zapper operates that by the time they're done, it will be like a training program on how to spot a zapper.

On cash versus credit card: Years ago, when mom and pop ran a restaurant, it was one for the pocket, one for the register. Skimming was traditionally a cash problem. Now, a lot of transactions are by credit card. When you buy something, the transaction is run through a terminal and we assume the money is taken out of the customer's account and placed in the bank account of the business. But credit card transactions can be switched out and sent to the personal bank account of the business owner -- the zapper can eliminate the sale. It might lead to inventory problems for the retailer and possibly income tax questions, like where did that individual get that money in his account?

It's not just a sales tax loss: States lose sales tax revenue because sales are zapped out. But zapping also lowers income tax on the business. Instead of gross sales of, say $1,000, they're $800. It vitiates the entire system. There's a 50 percent to 80 percent infection rate. The playing field is so unlevel. It's the obligation of government to level the playing field. Don't raise taxes. There is sufficient money out there.

It's a state-by-state solution: Other countries have a VAT [value-added tax] at the national level. But here, it's up to individual states. Big enforcement measures are pulling a business license. The feds can't do that. It's a local problem for local enforcement, but locals are cutting budgets. There needs to be a state-coordinated effort. We now have five state laws and another eight or nine coming soon. Oklahoma recently passed a bill prohibiting sales of suppression devices. Illinois has been holding hearings. The Connecticut House passed a bill. It's not difficult legislation to pass. There's no opposition to it. The National Restaurant Association supports it. In many of these bills, the penalties are on the installer. Georgia did it the right way: You've got to have the penalty in place before you find the installer. New York, with its stings, did it backwards. It found the installers but had no penalty in place.

On European concerns: There is a lot of concern about zappers making it to the cloud. Portugal reported six cases where zappers were being updated from the cloud. You buy the machine, you get the zapper and every time there's a change in the software program, it's updated from the cloud. Once it goes to the cloud, the ability to find the guy walking in the door is more difficult.