CSP Magazine

Are Your Customers’ Identities Secure?

If you think hackers want your customers’ credit-card numbers, think again. In a recent study on data breaches, the No. 1 type of information stolen by far is a password. Second are emails and third are usernames.

Cyber-criminals can take personal information and apply for a wallet full of fraudulent credit cards, say officials with Conexxus, the Alexandria, Va.-based technology advisory arm of NACS. The group has in recent years advocated for a more holistic approach to data protection, one that goes beyond credit-card numbers.

“Living in the cyber-connected world, data can quickly and easily transmit anywhere at any time,” says Jarod Downing, CFO of Ricker Oil Co., Anderson, Ind. “It’s absolutely imperative that a c-store business take every precaution necessary to put in place the proper controls—the systems and the processes—to protect whatever data it collects in the course of doing business.”

It’s sound advice, but data security today can be overwhelming. Consider these ongoing issues:

Europay MasterCard Visa (EMV): Retailers are under pressure to update their in-store point-of-sale (POS) terminals and pumps to accept computer chip cards. It’s a costly endeavor, with many behind on the October 2015 liability-shift date for in-store POS and facing the October 2017 date for fuel dispensers.

Fragmentation doesn’t help: Big brand names such as Shell and 7-Eleven rank high in repeat breach incidences, primarily due to the varying levels of tech savvy within the channel, according to a study from Risk Based Security, Richmond, Va.

Skimming remains a big problem: Skimming at gas pumps is statistically a larger issue for c-stores and gasoline retailers, rising higher in priority than other data-security issues.

Still, retailers juggle these higher-priority issues while marching forward with projects such as loyalty. Here lies the growing challenge. The two most obvious places a c-store would gather, or at the very least handle customer information, would be during the payments process and with loyalty or other marketing or promotional programs. That’s not all: Downing says third-party providers may collect, house and manipulate customer data in a retailer’s name, perhaps connected to loyalty programs.

“I’d advise a retailer to have its legal counsel review the contract or contracts [involved],” he says. “You need to ensure all potential protections are in place should there be a breach of the third party’s network or a release of customer data.”

Unfortunately, much of the security burden today falls back on the retailer. “There is so much confusion through the entire c-store and petroleum market about data-security requirements,” says Shekar Swamy, president and senior security strategist for Omega, Ellisville, Mo. “[But] acquiring banks and processors have stated many times: It is the retailer who is responsible for maintaining data security at the retail chain.”

The sad truth, Swamy says, is that enlightened retailers such as Downing are not the norm. “Every year for the past seven years, the petroleum and c-store markets have been ranked very low in terms of data security,” he says. “The issue becomes more complex when you consider multibrand and unbranded marketers who may operate chains of 20 stores or more.”

In the Risk Based Security study, Houston-based Shell and Dallas-based 7-Eleven ranked No. 1 and No. 2, respectively, for companies across all channels and industries having had the most reported data-security incidents in 2015. Shell had 14 reported instances, while 7-Eleven and Charlotte, N.C.-based Bank of America had 13 each.

Other convenience retailers and oil companies making the study’s dubious list of top 12 “repeat offenders” include Laval, Quebec-based Alimentation Couche-Tard, which operates the Circle K chain; Irving, Texas-based ExxonMobil; Houston-based Marathon; and Philadelphia-based Sunoco.

According to the study “Data Breach QuickView: 2015 Data Breach Trends,” the total number of data-breach incidents were up 23% to 3,930 in 2015 from 3,192 in 2014. The number of exposed records, however, fell 33% to 736 million in 2015 from 1.1 billion the year before, the report said.

For cyber-criminals, c-stores and gas stations are ideal hubs because POS dispensers on pumps are out of cashiers’ sight, says Barry Kouns, president and CEO of Risk Based Security. Another issue, Kouns says, is the widespread use of easily hackable magnetic-stripe cards at the pump vs. chip cards and the growing expertise of data thieves. “The attack methodology is working,” he says.

The vulnerability is palpable, Swamy of Omega says. Even a small chain of c-stores can top 1 million credit-card transactions annually, while migration to security measures such as EMV and “point-to-point encryption” is cost-prohibitive for most. The projection for adoption of EMV in this industry is well past the October 2017 liability-shift date, perhaps going beyond 2020, he says.

“Skimming incidents are on the rise,” Swamy says. “The reason is straightforward: It’s easy. Skimming technologies in use today are becoming rather sophisticated, and often it is the technician from the pump company who [must] identify the presence of a skimmer.”

Loyalty cards and ATMs are also big security issues, Swamy says: “It is easy to hack into the systems. Malware installed inside the store, somewhere on the network, is not detected because no one is watching and alerts are not being generated.”

Also, many retailers have a tendency to avoid monitoring store networks and systems because of the expense associated with data security. Acquiring banks, which include some oil companies, have to verify if the chain is compliant with data  security.

If not, Swamy says, the banks will impose fines.

“While it can be scary to think about all the different ways data can be stolen from your business and there’s no 100% guarantee that you’re system is impenetrable, there are many actions that c-store retailers can take,” says Downing of Ricker Oil:

  • Have legal counsel review all contracts to ensure the proper language is included for how cyber-related incidents will be addressed.
  • Have a third-party information technology (IT) company perform a breach audit.
  • Use third-party administrators that likely have much tighter IT cybersecurity controls in place to thwart attempted attacks  on your data.

Many retailers rely on third-party providers to handle loyalty programs, Downing says. If that’s the case, ensure strong contractual language to specify data-security measures and develop plans and procedures to follow if a data breach occurs. (See related story.)

For retailers wanting to embrace loyalty, protecting customers’ personal information should rank as high as EMV and skimming, according to Matt Beale, partner with W. Capra Consulting Group, Chicago. “It’s all about consumers having faith in the brands they’re shopping,” he says.

Reprioritizing Security Issues

In a study from Risk Based Security, Richmond, Va., personal data topped the list of most stolen information in 2015.

Most stolen data by type in 2015


Credit-card number12.5%
Social-security number9.9%
Phone number9.2%
Date of birth8.5%
Medical information6.4%
Intellectual property5.8%
Financial information4.2%
Account numbers3.9%

Source: Risk Based Security

Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.


More from our partners