Convenience-store retailers and petroleum marketers are facing a data-security shock when compared to other retailers. C-store operators are some of the most progressive U.S. businesses, providing new services at an increasing rate.
But with progress and innovation comes more challenges of data security. Not a day passes without news of another data-security breach in the retail world. This has become the new normal, at least over the past two years. It has come to the point of not if a business will get hacked, but when. C-stores and petroleum marketers can most definitely conquer the challenge by taking prudent steps.
Data security is not about spending money; it’s about risk reduction. Retailers can be compliant and still have a breach. No standard is foolproof or breach-proof. On the other hand, not doing anything about data security greatly increases the risk of a breach. At the very least, c-stores and petroleum marketers need to reduce risk by implementing good data security solutions. It is a necessary step, and it reduces complications down the road.
Taking the Right Steps
How do you step up risk reduction?
- Secure your infrastructure: This includes virtualization security, server security, sound firewalls, server hardening and two-factor authentication for all remote access to systems.
- Replace old systems: This refers to hardware and software and their compatibility. Older machines are not capable of running updated software because they need more RAM (memory), a better video card, larger hard drives and updated printer drivers. Newer software may not even install in old operating systems.
- Revisit your payment security devices: There are approved lists of payment hardware (e.g., PIN Transaction Security, published by the PCI Security Standards Council). Constant reviews and updates are required because security is a never-ending race against potential attackers. So regularly review, update and improve the security requirements used to evaluate point-of-interaction (POI) devices and hardware security modules.
- Update or replace software technologies: This includes software and versions for antivirus, anti-malware, firewall, network, email, Internet security, password managers, corporate security and all mobile devices to cope with wireless intrusion detection and prevention.
- Examine your card-data environment (CDE): The CDE would include computer systems or a network of systems that processes, stores or transmits card data, and authenticates data; and all other components or devices that support this network.
- Have a long-term strategy as a goal to work toward: While the above are being done, keep in mind that the goal is to stay ahead of attackers. So constantly evaluate data-protection strategies. A big portion of data security is people; train staff to follow policies and guidelines, and make them a part of your organization’s culture.
- Make short-term improvements for safeguarding data into the future.
Short-term steps could be:
- Following password policies. It would include basic rules such as not writing down passwords, not using generic passwords, not sharing passwords, and changing passwords every 30 to 60 days.
- Performing recommended software updates and patches.
- Using approved POS versions.
- Segmenting POS systems.
- Performing external and internal vulnerability scans.
Data Security vs. Data Breaches
To think that spending money on data security will not produce returns is not true. Retailers will not see returns on it—much like a home security service—except when they know that someone tried to get in and decided not to. Retailers with no data security and no insurance protection face the highest risk. This may be acceptable to some retailers, but clearly it is not prudent to carry on without implementing good data security solutions and practices.
With breaches increasing nationally, data security and risk reduction cannot be ignored. Data security should always be the starting point for businesses of any size.
And then you have compliance. Payment Card Industry Data Security Standards (PCI DSS 3.0) is now focused more on continuous compliance. This means ongoing data security for ongoing compliance. Merchants who process 1 million transactions of MasterCard or Visa annually are required to validate compliance using a qualified security assessor or certified internal security assessors. To be sure, all merchants regardless of their size are expected to follow PCI standards.
Follow the plan described above and you will be one of those retailers who makes it too difficult for a hacker, and the enemy will move on to the next vulnerable target.