EMV is More Expensive Than You Think
As discussed in the previous blog posting, with the sheer amount of transactional data flowing through retail petroleum industry environments, data security presents a challenging series of initiatives to overcome. With multiple technologies touching the payment stream—from the automated fuel dispenser to the store POS and all the way back to the financial systems at headquarters—every point where payment data is entered, stored, transmitted is a security risk that hackers can attack to siphon off valuable payment and even personally identifiable information (PII). Retail petroleum chains often include stores and services, which add additional points of payment capture that are subject to employee security risks. Constant training is needed to keep the entire ecosystem secure as thousands of transactions a day flow from pump to store to back office. There are many technical, people, and process challenges with data security within the retail petroleum industry. Soon EMV cards will add another costly layer to the security mashup.
Countdown to EMV Adoption
The next security challenge for petroleum retailers will be to make the switch to new EMV card readers and software by October 2017. While most retail merchants have their EMV deadline now, it’s appropriate that the petroleum retailers have another year for EMV adoption because they have to address many more technologies than the standard retailer. For example, how does incorporating EMV impact the transaction flow from the automated fuel dispenser to the POS where serial connections are still used in some architectures? Ultimately, implementing EMV means that the petroleum retailer will most likely need to upgrade all technologies between the pump and the store POS–for more time and money, of course. This is just one example of the significant changes to the payment stream that need to be made for EMV.
The True Cost of EMV Adoption
Over the next two years the true costs of implementing EMV will become painfully apparent. First, of course, petroleum retailers will have to replace the card readers at the automated fuel dispensers and the card swipes within the stores. While the cost of replacing literally thousands of readers is the first major stumbling block, the real effort is in re-engineering the entire card-present acceptance channels to accommodate the EMV transmissions. The National Association of Convenience Stores estimates the cost of re-engineering the payment acceptance stream starting at the automated fuel dispensers to be anywhere between $6,000 and $10,000 per device. One small store with just ten pumps has to invest up to $100,000 just to become EMV compliant at the fuel pump. The supposedly positive side is that when the EMV upgrade is completed, any fraudulent purchases committed with an EMV card at the point of purchase costs the station nothing. However, most gas stations experience only $20,000 to $30,000 worth of fraud a year. That’s a three-year return on investment for the new EMV devices, yet it doesn’t include the downtime and lost sales while pumps are being replaced with new fuel dispensers. You also have to account for the technical consulting costs that are needed to ensure the fuel dispenser works correctly with the other technologies from the pump all the way back into the home office.
Hidden Fees Are the Back Breaker
The costs being reported by naxonline.com and ACSonline.com, are basically focused on just the cost of updating the automated fuel dispenser with EMV compatibility. They don't take into account the cost of testing, implementing, re-designing, and all of the technicalities that need to take place before a successful EMV implementation is complete. Your IT department and engineers—expensive resources—will be working on the EMV transition for the next two years to ensure a very smooth rollout, because at the end of the day, automated fuel dispensers are at the very center of taking payments. In a low margin business, retail petroleum organizations want to avoid anything getting in the way of selling goods and efficiently processing payments.
EMV Doesn’t Fight Fraud in the Long Run
What's even more disheartening about EMV, is that it’s already a deprecated technology. EMV has been around for 20 years. It was first available in the UK, Europe, and most recently Canada. Now, it's just being rolled out in the United States and the major problem is that cyber thieves have had plenty of time to figure out how to commit fraudulent activity even with EMV “protected” cards. In addition, while not a burning problem for retailers who primarily take card-present payments, EMV does very little for card-not present transactions, and the rate of fraud for those cases skyrocketed in Europe. But EMV even has card-present fraud problems with the way data is transmitted. Look at the underlying design to see why.
EMV devices pass some payment card information in clear text. The basic principle behind EMV is to prevent any additional fraudulent use of an account when a card is known to be breached. This primarily protects the banks and the card issuers. The fact that EMV transmissions are in clear text is a clear cut case of showing that the technology is faulty in dealing with today’s complex acceptance channels. EMV technologies are already subject to replay attacks where hackers actually capture and replay the data that's passing from the card chip to the reader device. This “replay attack” is already being used where EMV has been deployed.
Shim is the EMV Skim – Petroleum Retail is Next
Most recently in Mexico, fraudsters have figured out a way to use what is called a shimming device, a card and chip reader that is physically shimmed into an ATM slot. This is similar to the skimmers that read the old payment cards’ magstrips to capture bank information. Skimmers became a potent threat to retail petroleum because many of the pumps were literally out of sight from the attendants, letting the fraudsters insert the skimmers. Since the shimmers work in a similar manner, and can be furtively planted at a pump, it means the costly EMV implementation has already been defeated in one way, even before the rollout gains steam.
Retail Petroleum Needs Layered Security to Defeat Data Theft and Fraud
The retail petroleum industry has its back against the wall waiting to see if EMV sticks around. They have another two years after the general retail industry has implemented EMV to see if it is effective. But the fact that EMV has already been defeated by fraudsters in a couple of ways, means that the long term benefits are in doubt. Combine that with the ineffectiveness of EMV to thwart card-not-present fraud and the doubts double. What, then, is the right path forward?
If using EMV to secure payment data and your transaction environment sounds like a losing proposition, what's a winning plan? The winning path forward is layering the technologies of tokenization, point-to-point encryption, and real-time fraud detection.
To overcome the shortcomings of EMV and eliminate payment data theft and the resulting fraud, the first step is to create a secure communication payment stream, so that even though EMV transmits data in clear text, implementing a point-to-point encryption (P2PE) solution secures the data as the point the EMV chip is read. The second step after encryption is to add a layer of tokenization so that the payment data is immediately stored in a secure cloud data vault and a token returned for all additional payment processing steps. To complete the solution, integrating a real-time fraud analysis service through the tokenization provider stops the use of already stolen payment data and breaks the cycle of payment fraud. It’s a complete data security solution for all organizations that handle payment data.
In the third part of this three-part blog series on securing the petroleum retail, we’ll be describing the benefits of implementing a layered security model combining tokenization, P2PE, and real-time fraud detection.
For more information on how to secure your EMV solutions, contact firstname.lastname@example.org, we invite you to peruse the informational pages at TokenEx.com, and follow us on Twitter and LinkedIn for up-to-date news on data security.