OVERCOMING DATA SECURITY CHALLENGES IN RETAIL PETROLEUM

Transcription

1 tokenex.com OVERCOMING DATA SECURITY CHALLENGES IN RETAIL PETROLEUM A TokenEx Case Study

2 Case Study OVERCOMING DATA SECURITY CHALLENGES IN RETAIL PETROLEUM TABLE OF CONTENTS Understanding Data Security Challenges in the Retail Petroleum Industry 1 Thousands of Transactions a Day, Multiple Points of Attack 1 Following The Payment Stream 1 What Looks Simple Is Very Complex 1 High Employee Turnover Inhibits Security Measures 2 EMV is More Expensive Thank You Think 2 The True Cost of EMV Adoption 2 Hidden Costs of EMV are a Back Breaker 3 EMV Doesn t Fight Fraud in the Long Run 3 Shim is the EMV Skim Petroleum Retail is Next 3 Retail Petroleum Needs Layered Security to Defeat Data Theft and Fraud 4 Strengthen Your Security Posture by Implementing a Tokenization Solution 4 Using Native Encryption Within ERP Devices Not Enough 5 On-Premise Solutions Lack Security and Don t Reduce PCI Scope 5 Flexible Tokenization Platform Provides Open Integration 5 TokenEx Supports How You Do Business 5 Tokenization Secures the Retail Petroleum Environment 6 TokenEx Understands the Complexity of Your Environment 6 A TokenEx Case Study Table of Contents

3 UNDERSTANDING DATA SECURITY CHALLENGES IN THE RETAIL PETROLEUM INDUSTRY Receiving, storing, and transmitting sensitive data presents challenges for every business. One of the riskiest datasets to handle is payment card data, since it is relatively easy to steal, sell, and use for fraudulent purchases. Due to the ubiquitous presence of the industry and its 24x7 business model, retail petroleum organizations handle huge volumes of payment data and face some of the most complex payment card data issues, putting them in the crosshairs for data theft, fraud, and costly PCI compliance. Thousands of Transactions a Day, Multiple Points of Attack Imagine an average gas station with 10 two-sided stalls, or 20 pumps and accompanying pay terminals. On a normal day that one station is going to take hundreds of transactions; hundreds of card swipes. For a large retailer with hundreds of these stations scattered across states, that s tens of thousands of opportunities for payment data theft as cards are read at the pump, payment data transmitted to the Point of Sale application in the station, routed to a payment processor, and ultimately to the financial back office systems at headquarters. This is, of course, in addition to the retail stores at the fueling stations where consumers purchase goods and pay for services using the same POS system. At any point in the payment stream terminals, POS, network, or financial database a hacker can potentially siphon off payment data. Following The Payment Stream Understanding the path of transactions for a single retail gas station provides insight into the enormous scale of large retail petroleum organizations that operate thousands of pumps and retail stores, often using multiple brands of POS systems. They are handling tremendous volumes of payment card data through their environments. Most large gas retailers with many stations are going to want to use all the collected payment data to understand patterns in consumption, affects of price changes, and track in-store sales, so all payment data is ultimately routed to an ERP financial system for analysis. In this discussion, we will focus on organizations that push payment information to headquarters for storage and analysis. It s here too, within the corporate ERP applications, that hackers are drawn to the veritable honeypot of payment data. What Looks Simple Is Very Complex Dip card, pump fuel. Simple. But keeping data secure and achieving PCI compliance in just one gas station is very challenging. The automated fuel dispenser with card dip reader where the customer initiates the transaction is just the first step. Between that automated fuel dispenser and the store POS, there are multiple technologies from multiple vendors, making interoperability another security hurdle. The challenge is to secure the acceptance channel starting at the payment card dip at the pump, through to the POS at the station, all the way to the organization s financial systems. Introducing a number of payment acceptance technologies into one data security plan is incredibly challenging, particularly because in the retail petroleum environment, the manufacturers of the different technologies have made data security the highest priority. A TokenEx Case Study Page 1 of 6

4 Securing data from the automated fuel dispenser back to the store POS is only the first challenge. You have to secure the data going to headquarters through networks and firewalls. You scrutinize the security of the back office systems, such as payment servers, that are aggregating payments from the automated fuel dispensers as well as multiple store point-of-sale systems. When payment data is being accepted at a reader, is at rest in a database or in transit over networks, it can be hacked which means any time, all the time. There are a considerable number of different security controls that need to be put in place to make sure that data is not intercepted at any point. And then there is the people problem. High Employee Turnover Inhibits Security Measures Independent of the technology of a data security plan within a retail petroleum organization, are the employees embedded in the process. Gas stations and convenience stores traditionally have a high employee turnover rate. Management spends a tremendous amount of money training and getting an employee up to speed to operate the POS, understand how to solve problems at the pump, how to work with customers. Security training includes guidelines such as: don t take pictures of payment cards, don t write them down, don t call them in over the phone, or recite the numbers over the loudspeaker in the store or out at the pump. These security breach behaviors are more common than you might expect. Employees also need to be able to identify pump tampering, when shimming and skimming devices are inserted at the fuel dispenser to record and transmit card data. Then, the trained employee moves on and the training process begins again. This predictable sequence of unfortunate events means that you must always have procedures and training in place to ensure that cardholder data is secure from people, process, and technology standpoints. This adds to the complexity and cost of a data security plan, which constantly squeezes bottom line profitability. EMV IS MORE EXPENSIVE THANK YOU THINK The next security challenge for petroleum retailers will be to make the switch to new EMV chip card readers and software by October While most retail merchants have their EMV deadline now, it s appropriate that the petroleum retailers have more time for EMV adoption because they have to address many more technologies than the standard retailer. For example, how does incorporating EMV impact the transaction flow from the automated fuel dispenser to the POS where serial connections are still used in some architectures? Ultimately, implementing EMV means that the petroleum retailer will most likely need to upgrade all technologies between the pump and the store POS for more time and money, of course. This is just one example of the significant changes to the payment stream that need to be made to accommodate EMV. The True Cost of EMV Adoption Over the next few years, the true costs of implementing EMV will become painfully apparent. First, of course, petroleum retailers will have to replace the card readers at the automated fuel dispensers and the card swipes within the stores. While the cost of replacing literally thousands of readers is the first major stumbling block, the real effort is in re-engineering the entire card-present acceptance channels to accommodate the EMV transmissions. The National Association of Convenience Stores A TokenEx Case Study Page 2 of 6

5 estimates the cost of re-engineering the payment acceptance stream starting at the automated fuel dispensers to be anywhere between $6,000 and $10,000 per device. One small store with just ten pumps has to invest up to $100,000 just to become EMV compliant at the fuel pump. The supposedly positive side is that when the EMV upgrade is completed, any fraudulent purchases committed with an EMV card at the point of purchase costs the station nothing. However, most gas stations experience only $20,000 to $30,000 worth of fraud a year. That s a three-year return on investment for the new EMV devices, yet it doesn t include the downtime and lost sales while pumps are being replaced with new fuel dispensers. You also have to account for the technical consulting costs that are needed to ensure the fuel dispenser works correctly with the other technologies from the pump all the way back into the home office. Hidden Costs of EMV are a Back Breaker The costs being reported by nacsonline.com is basically focused on just the cost of updating the automated fuel dispenser with EMV compatibility. They don t take into account the cost of testing, implementing, re-designing, and all of the technicalities that need to take place before a successful EMV implementation is complete. Your IT department and engineers expensive resources will be working on the EMV transition for the next two years to ensure a very smooth rollout, because at the end of the day, automated fuel dispensers are at the very center of taking payments. In a low margin business, retail petroleum organizations want to avoid anything getting in the way of selling goods and efficiently processing payments. EMV Doesn t Fight Fraud in the Long Run What s even more disheartening about EMV, is that it s already a deprecated technology. EMV has been around for 20 years. It was first available in the UK, Europe, and most recently Canada. Now, it s just being rolled out in the United States and the major problem is that cyber thieves have had plenty of time to figure out how to commit fraudulent activity even with EMV protected cards. In addition, while not a burning problem for petroleum retailers who primarily deal with card-present payments, EMV does very little for card-not present transactions, and the rate of fraud for those cases skyrocketed in Europe. But EMV even has card-present fraud problems with the way data is transmitted. Look at the underlying design to see why. EMV devices pass some payment card information in clear text. The basic principle behind EMV is to prevent card forgery and any additional fraudulent use of an account when a card is known to be breached. This primarily protects the banks and the card issuers. The fact that some EMV transmissions are in clear text is a clear cut case of showing that the technology is faulty in dealing with today s complex acceptance channels. EMV technologies are already subject to replay attacks where hackers actually capture and replay the data that s passing from the card chip to the reader device. This replay attack is already being used where EMV has been deployed. Shim is the EMV Skim Petroleum Retail is Next Most recently in Mexico, fraudsters have figured out a way to use what is called a shimming device, A TokenEx Case Study Page 3 of 6

6 a card and chip reader that is physically shimmed into an ATM slot. This is similar to the skimmers that read the old payment cards magstrips to capture bank information. Skimmers became a potent threat to retail petroleum because many of the pumps were literally out of sight from the attendants, letting the fraudsters insert the skimmers. Since the shimmers work in a similar manner, and can be furtively planted at a pump, it means the costly EMV implementation has already been defeated in one way, even before the rollout gains steam. Retail Petroleum Needs Layered Security to Defeat Data Theft and Fraud The retail petroleum industry has its back against the wall waiting to see if EMV sticks around. They have another two years after the general retail industry has implemented EMV to see if it is effective. But the fact that EMV has already been defeated by fraudsters in a couple of ways, means that the long-term benefits are in doubt. Combine that with the ineffectiveness of EMV to thwart cardnot-present fraud and the doubts double. What then, is the right path forward? If using EMV to secure payment data and your transaction environment sounds like a losing proposition, what s a winning plan? The winning path forward is layering the technologies of tokenization, point-to-point encryption, and real-time fraud detection. To overcome the shortcomings of EMV and eliminate payment data theft and the resulting fraud, the first step is to create a secure communication payment stream, so that even though EMV transmits data in clear text, implementing a point-to-point encryption (P2PE) solution secures the data at the point the EMV chip is read. The second step after encryption is to add a layer of tokenization so that the payment data is immediately stored in a secure cloud data vault and a token returned for all additional payment processing steps. To complete the solution, integrating a real-time fraud analysis service through the tokenization provider stops the use of already stolen payment data and breaks the cycle of payment fraud. Combining tokenization and fraud detection layers provides a complete data security solution for any organization that handles payment data. STRENGTHEN YOUR SECURITY POSTURE BY IMPLEMENTING A TOKENIZATION SOLUTION Simply put, as payments flow from automatic fuel dispenser or the store POS through the retail environment, you can t depend on a cobbled-together set of diverse security products that ends up slowing down payment processing. Especially in fueling stations, where the goal is to get filled up as quickly as possible, customers have limited patience with a slow payment system. Tokenization of payment data from pump to POS to back office takes milliseconds, so there is no delay for customers to pay, fill, and go. And while the petroleum retail industry has done a fantastic job of creating PCI islands that limit the number of systems that handle the payment card information, the goal should be to remove the toxic data completely, thus eliminating risk of data theft as well as reducing compliance costs. Any system that adds additional security to the payment stream must not slow down the transaction. Adding a tokenization layer is a proven method that is non-disruptive to existing payment processing. That means customers don t notice any change, while in the background, payment card data is securely intercepted and removed from the payment stream. A TokenEx Case Study Page 4 of 6

7 Using Native Encryption Within ERP Devices Not Enough Meanwhile, in the back office, using ERP systems such as Oracle, SAP, or JD Edwards as foundation of payment data security, relies on the native database encryption to secure data. An unfortunate aspect of using only encryption is that the data stored in the ERP database is still considered cardholder data per PCI DSS, so the scope of PCI compliance is not reduced by very much, if at all. And of course, the security of the payment data is only as good as the encryption, which has proven vulnerable time and again to sophisticated hackers. On-Premise Solutions Lack Security and Don t Reduce PCI Scope So if encryption is not enough to protect your cardholder data, is tokenization the best option? We would say Absolutely! But with one caveat. Using an on-premise solution for tokenization just creates another honeypot of toxic data within your environment that attracts hackers and fraudsters. Yes, you are passing tokens among your business systems, but the token/pan pairing is still accessible to hackers with sufficient skill to breach your database encryption. Nobody needs to have a huge glut of cardholder data in their environment which is exactly the result of using on-premise tokenization solutions and native ERP encryption solutions. At TokenEx, we tell our clients to follow a simple rule: If you don t need it, don t take it. Which means that unless there is a powerful business reason to store payment card data, you shouldn t accept, store, or transmit it at all. It s time to get the data out of your environment and put it in secure cloudbased data vaults. Using a cloud-based tokenization solution like TokenEx, each PAN you receive in payment is instantly exchanged with a mathematically-unrelated token to store in your ERP instance or e-commerce database. The PANs are completely removed from your payment stream, eliminating the risk of losing any sensitive data should a breach occur. This in turn removes most all business systems from all but the lowest, and least costly levels, of PCI compliance. Flexible Tokenization Platform Provides Open Integration Retail petroleum organizations need a solution that is flexible enough to take payments from different sources, terminals, and data types. Whether it be a credit card, a fleet card, or a branded card, acceptance must be possible across multiple types of hardware at the pump, store, or service center. Therefore, it s important that your security layers be hardware-agnostic to provide as much flexibility as you need to use hardware from Ingenico to Verifone and store tokens in the back office ERPs of choice. Your tokenization layer also needs to accommodate any of the commonly used communication protocols for e-commerce, whether it be SOAP or REST, or a future standard protocol. A flexible layered security solution gives you the ability to maneuver to meet changes in changing technology and regulations. TokenEx Supports How You Do Business Naturally, a tokenization solution has to support how you do business. More critically, your tokenization provider needs to understand how your business operates and interacts with other business systems. Most of the payment security solutions that are available today don t understand A TokenEx Case Study Page 5 of 6

8 how retail petroleum organizations do business, or the complexities of the environment. TokenEx understands the payment stream of retail petroleum, and can support how you do business today from real-time transactions through batch transactions. The TokenEx Cloud Security Platform acts as a central integrator among your acceptance channels and payment service providers, such as fraud detection partners. TokenEx is already integrated with over 40 payment processors, 4 of the 7 payment gateways, and many of the cutting-edge third-party support vendors. We solve the integration problem for you. Tokenization Secures the Retail Petroleum Environment TokenEx stands firmly behind the principles of strengthening your security posture by providing an open integration, payment provider agnostic security platform. Recognizing that native encryption won t get the job done, and on-premise tokenization creates more issues without actually reducing PCI compliance, a cloud tokenization platform is the best way to reduce data theft risk and lower PCI compliance costs. From a CSO s implementation standpoint, the first step that we at TokenEx advise is to keep your payment processes the same to minimize expensive changes to your IT architecture, and use secure batch file processing to tokenize that data and store it offsite in secure cloud data vaults. You get an instant payback by reducing both risk and compliance costs. With a cloud tokenization platform, all your payment data, whether it be transactional history from settlement or real-time transactional information that s being channeled through your payment software, is only in your environment momentarily until you send the batch file to TokenEx for vaulting. Any remittance and settlement files that are coming back from payment processors are channeled through TokenEx, so they are tokenized even before they re-enter your IT environment. Using this type of pass-through integration, you limit your exposure to risk tremendously, because you re removing toxic data from your environment and keeping it out. TokenEx Understands the Complexity of Your Environment TokenEx prides itself on understanding each of the payment technologies and processes in a retail petroleum environment from the automated fuel dispenser, to the store point of sale system, all the way back to the financial system at headquarters. We understand how to secure each step by integrating technologies such as tokenization, point-to-point encryption, and fraud detection, to reduce risk to your business and your customer. Your retail petroleum environment is one of the most complex payment streams in existence today, and we can help make it secure. TOKENEX 1350 South Boulder Suite 1100 Tulsa, Oklahoma A TokenEx Case Study Page 6 of 6