Overcoming Major Data Security Challenges in Retail Petroleum Part 3


Part Three of a Three Part Blog:
Industry Recommendations for Implementing a Tokenization Solution

Looking back on the first two blogs in this series on the Retail Petroleum industry, I focused on the challenges of payment data security that this diverse industry faces. Chief among them is the different channels that their sensitive sets flow through, including payment and fleet card data. Then there are the multiple technologies that the industry has to deal with for not only taking the payment, but the flow of data from the pump through all the devices that take it back in to the store POS, and then on to the back office ERP systems. TokenEx integrates tokenization technologies, with point-to-point encryption and fraud detection to reduce risk at all the points in this complex payment stream.

Part two of the Retail Petroleum blog series dealt with the challenges of EMV implementation, and the hidden, and often prohibitive, costs. From recent reports from Europe, Canada, and Mexico, it’s apparent that EMV isn't as bullet-proof as originally thought. From the replay attacks that are already in progress, to the shimming devices that currently exist, and the fact that some EMV transmissions are sent in clear-text, EMV is not presenting the same type of value-add that it once did. Therefore, EMV needs a tokenization solution to prevent payment data theft and out of reach of fraudsters for card-not-present transactions.

In this third blog installment we’ll discuss how retail petroleum can add layers of security based on a flexible tokenization solution that can work with any payment provider, reduce the scope and cost of PCI compliance, and protect your business by removing toxic PCI from all points of your retail systems.

Strengthen Your Security Posture

Simply put, as payments flow from automatic fuel dispenser or the store POS through the retail environment, you can't depend on a cobbled-together set of diverse security products that ends up slowing down payment processing. Especially in fueling stations, where the goal is to get filled up as quickly as possible, customers have limited patience with a slow payment system. Tokenization of payment data from pump to POS to back office takes milliseconds, so there is no delay for customers to pay, fill, and go. And while the petroleum retail industry has done a fantastic job of creating PCI islands that limit the number of systems that handle the payment card information, the goal should be to remove the toxic data completely, thus eliminating risk of data theft as well as reducing compliance costs. Any system that adds additional security to the payment stream must not slow down the transaction. Adding a tokenization layer is a proven method that is non-disruptive to existing payment processing. That means customers don’t notice any change, while in the background, data is securely intercepted and removed from the payment stream.

Using Native Encryption Within ERP Devices Not Enough

Meanwhile, in the back office, using ERP systems such as Oracle, SAP, or JDE's a foundation of data security, relies on the native database encryption to secure data. An unfortunate aspect of using only encryption is that the data stored in the ERP database is still considered cardholder data per PCI DSS, so the scope of PCI compliance is not reduced by very much, if at all. And of course, the security of the payment data is only as good as the encryption, which has proven vulnerable time and again to sophisticated hackers.

On-Premise Solutions Lack Security and Don’t Reduce PCI Scope

So if encryption is not enough to protect your cardholder data, is tokenization the best option? We would say Absolutely! But with one caveat. Using an on-premise solution for tokenization just creates another honeypot of toxic data within your environment that attracts hackers and fraudsters. Yes, you are passing tokens among your business systems, but the token/PAN pairing is still accessible to hackers with sufficient skill to breach your database encryption. Nobody needs to have a huge glut of cardholder data in their environment–which is exactly the result of using on-premise tokenization solutions and native ERP encryption solutions.

At TokenEx, we tell our clients to follow a simple rule: “If you don’t need it, don’t take it”. Which means that unless there is a powerful business reason to store payment card data, you shouldn’t accept, store, or transmit it at all. It's time to get the data out of your environment and put it in secure cloud-based data vaults. Using a cloud-based tokenization solution like TokenEx, each PAN you receive in payment is instantly exchanged with a mathematically-unrelated token to store in your ERP instance or e-commerce database. The PANs are removed completely from your payment stream, eliminating the risk of losing any sensitive data should a breach occur. This in turn removes most all business systems from all but the lowest, and least costly levels, of PCI compliance.

Flexible Tokenization Platform Provides Open Integration

Retail petroleum organizations need a solution that is flexible enough to take payments from different sources, terminals, and data types. Whether it be a credit card, a fleet card, or a branded card, acceptance must be possible across multiple types of hardware at the pump, store, or service center. Therefore, it’s important that your security layers be hardware-agnostic to give you as much flexibility as you need to use hardware from Ingenico to Verifone and store tokens in the back office ERPs of choice. Your tokenization layer also needs to accommodate any of the commonly used communication protocols for e-commerce, whether it be SOAP or REST or a future protocol. A flexible layered security solution is going to give you the ability to maneuver to meet changes in changing technology and regulations.

TokenEx Supports How You Do Business

Naturally, a tokenization solution has to support how you do business. More critically, your tokenization provider needs to understand how your business operates and interacts with other business systems. Most of the payment security solutions that are available today don't understand how retail petroleum organizations do business, or the complexities of the environment. TokenEx understands the payment stream of retail petroleum, and can support how you're doing business today—from real-time transactions through batch transactions. The TokenEx Cloud Security Platform acts as a central integrator among your acceptance channels and payment service providers, such as fraud detection partners. TokenEx is already integrated with over 40 payment processors, 4 of the 7 payment gateways, and many of the cutting-edge third-party support vendors. We solve the integration problem for you.

Tokenization Secures the Retail Petroleum Environment

The retail petroleum industry needs a tokenization solution that conforms to the way it does business and not the other way around. TokenEx stands firmly behind the principles of strengthening your security posture by providing an open integration, payment agnostic, security platform. Recognizing that native encryption won’t get the job done, and on-premise tokenization creates more issues without actually reducing PCI compliance, a cloud tokenization platform is the best way to reduce data theft risk and lower PCI compliance costs. One step that I can advise from a CSO’s implementation standpoint, keep your payment processes the same to minimize expensive changes to your IT architecture, and use secure batch file processing to tokenize that data and store that data offsite in secure cloud data vaults. You get an instant payback by reducing both risk and compliance costs.

With a cloud tokenization platform, all your payment data, whether it be transactional history from settlement or real-time transactional information that's being channeled through your payment software, is only in your environment momentarily until you send the batch file to TokenEx for vaulting. Any remittance and settlement files that are coming back from payment processors are channeled through TokenEx, so they are tokenized even before they get to your environment. Using this type of pass-through integration, you are limiting your exposure to risk tremendously, because you're getting toxic data out of your environment on a moment-to-moment basis.

TokenEx Is Your Solution

If you have any questions or want to discuss tokenization data security for your retail petroleum organization, contact TokenEx. Use the tokenex.com website as a learning resource that features information on our products and services, client case studies, more timely blog postings, security articles, and white papers. We can empower your organization with the right data security solution. Follow us on Twitter and LinkedIn for relevant news and updates on tokenization.

Topic(s): payments , data security , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog