Part One of a Three Part Blog:
Understanding Data Security Challenges in the Retail Petroleum Industry
Receiving, storing, and transmitting sensitive data presents challenges for every business. One of the riskiest datasets to handle is payment card data, as it is easy to steal, sell, and use for fraudulent purchases. Due to the nature of the industry and the business model, retail petroleum organizations handle huge volumes of payment data. Petroleum retailers face some of the most complex payment card data issues, putting them in the crosshairs for data theft, fraud, and costly PCI compliance.
Thousands of Transactions a Day
Imagine a gas station with 10 two-sided stalls, or 20 pumps and accompanying pay terminals. On a busy day that one station is going to take hundreds of transactions; hundreds of card swipes. For a large retailer with hundreds of these stations scattered across states, that’s tens of thousands of opportunities for payment data theft as cards are read at the pump, payment data transmitted to the Point of Sale application in the station, routed to a payment processor, and ultimately to the financial back office systems at headquarters. This is, of course, is in addition to the retail stores at the gas stations where consumers purchase goods and pay for services using the same POS system. At any point in the payment stream—terminals, POS, network, or financial database—a hacker can potentially siphon off payment data.
Following The Payment Stream
Understanding the path of transactions for a single retail gas station provides insight into the enormous scale of large retail petroleum organizations that operate thousands of pumps and retail stores with multiple POS systems. They are handling tremendous volumes of payment card data through their environments. Most large gas retailers with many stations are going to want to use all the collected payment data to understand patterns in consumption, affects of price changes, and track in-store sales. So the payment data is routed to the main ERP financial systems for analysis. In this discussion, we will focus on organizations that push payment information to headquarters for storage and analysis. It’s here too, within the corporate ERP applications, that hackers are drawn to the veritable honeypot of payment data.
What Looks Simple Is Very Complex
Dip card, pump fuel. Simple. But keeping data secure and achieving PCI compliance in just one gas station is very challenging. The automated fuel dispenser with card dip reader where the customer initiates the transaction is just the first step. Between that automated fuel dispenser and the store POS, there are multiple technologies from multiple vendors, making interoperability another security hurdle. The challenge is to secure the acceptance channel starting at the payment card dip at the pump, through to the POS at the station, all the way to the organization’s financial systems. Introducing a number of payment acceptance technologies into one data security plan is incredibly challenging, particularly because in retail petroleum environment, the manufacturers of the different technologies have not kept data security top of mind.
Securing data from the automated fuel dispenser back to the store POS is only the first challenge. Then you have to look at securing the data going to headquarters through networks and firewalls. You scrutinize the security of the back office systems, such as payment servers, that are aggregating payments from the automated fuel dispensers as well as multiple store point-of-sale systems. Whenever payment data is at rest or in transit, it can be hacked—which means any time, all the time. There are a considerable number of different security controls that need to be put in place to make sure that data is not intercepted at any point.
High Employee Turnover Inhibits Security Measures
Independent of the technology of a data security plan within a retail petroleum organization, are the employees embedded in the process. Gas stations and convenience stores traditionally have a high employee turnover rate. Management spends a tremendous amount of money training and getting an employee up to speed to operate the POS, understand how to solve problems at the pump, how to work with customers. Security training includes guidelines such as: “don’t take pictures of payment cards, don’t write them down, don’t call them in over the phone, or recite the numbers over the loudspeaker in the store or out at the pump.” These security breach behaviors are more common than you might expect. Employees also need to be able to identify pump tampering, when shimming and skimming devices are inserted at the fuel dispenser to record and transmit card data. Then, the employee moves on and the training process begins again. This predictable sequence of unfortunate events means that you must always have processes and training in place to ensure that cardholder data is secure from people, process, and technology standpoints. This adds to the complexity and cost of a data security plan, and squeezes bottom line profitability.
TokenEx Understands the Complexity of Your Environment
TokenEx prides itself on understanding each one of the technologies and processes in a retail environment—from the automated fuel dispenser, to the store point of sale system, all the way back to the financial system at headquarters. We understand how to secure each step by integrating technologies such as tokenization, point-to-point encryption, and fraud detection, to reduce risk to your business and your customer. Your environment is one of the most complex payment environments in existence today, and we can help make it secure.
In part two of this three-part blog series, we’ll be talking more about data security within the retail petroleum organization and directly address payment software suites as well as the best ways to implement tokenization within the retail petroleum organization.