The massive data breach suffered by Target last December continues to be a sobering wake-up call for every business that accepts credit and debit cards for payment, including convenience store and gas station operators. The financial impact on Target won’t be fully known for months or even years, but the damage to its reputation may be even more serious. With more than 70 million Target customers affected, how many shoppers nationwide are still wondering, “Is it safe to shop at Target?”
The petroleum/convenience store industry cannot afford to postpone taking action to improve data security. I called attention to the industry’s unique vulnerabilities in the April and June 2010 issues of this publication, but very little has been done to ensure customer safety and prevent the kind of financial and reputational damage Target is now facing.
And how do I know what Target is facing? In 2008, my company was the target of one of the largest security breaches ever. At the time, we thought we were doing a great job protecting our customers’ data, given that we were operating at or above industry standards. The hackers found a way in—and that breach almost put us out of business and cost us more than $140 million.
The simultaneous three-part solution I proposed for the petro industry (and every other industry) four years ago is still the best solution available, so let’s review.
Part One: EMV
The first step is called EMV (for Europay, MasterCard and Visa), or chip cards that help fight fraud at the physical point of sale by verifying that the presented card is genuine. The smart-card chip contains dynamic data that is validated in a more secure manner than the static data of a magnetic stripe. The data is always changing, which makes the card data harder to counterfeit. In the wake of the Target breach, Visa and MasterCard announced they would lead an industrywide group to focus on universal implementation of EMV. The intent is to make debit and credit cards safer by storing personal information on computer chips rather than magnetic stripes. Visa and MasterCard have announced schedules for shifting fraud liability to merchants who do not incorporate EMV capabilities: October 2017 for pay-at-the-pump (PATP) locations.
This is a good first step. Unfortunately, it is not enough to prevent future attacks by sophisticated hackers. No single countermeasure is enough. To have the best chance of preventing what happened to us—and Target—a three-part process implemented and working in tandem is needed. For instance, EMV would not have prevented the problem for Target because the theft occurred as a result of malware in the POS that interfaces Target’s signature pad payment devices. The malware was stealing data from credit-card magnetic stripes before the POS host computer could encrypt it.
Part Two: E3
A major critical step in safeguarding your data is deploying end-to-end encryption, or E3 for short. (E3 is a trademark of Heartland Payment Systems.) With E3, a card’s data is virtually never in a readable form. From the moment it is swiped, through authorization, card data is always protected and never in a form that can be read outside of the processing system. But the important point here is encryption from end to end. When the data becomes decrypted at any point in the process, it is vulnerable to theft. Unfortunately, the sensitive data must be decrypted and re-encrypted with different keys along the path. This process must take place in a hardware security module (HSM), much as PINs are processed at ATMs.
ATMs and many retail PIN pads today have tamper-resistant security modules (TRSMs) and use either triple data encryption standard (TDES) devices or more sophisticated AES algorithms. The only place where data is not encrypted is a very short wire—1 or 2 inches at most—inside the hard shell device that connects the card read heads with the encryption mechanism. There are no reports to date of electronic skimming devices successfully capturing data from these short wires.
Unfortunately, most c-stores and gas stations do not have encryption capabilities in their unattended fuel payment devices, which include a basic card reader in the dispenser (CRIND). Instead, card data is typically encrypted by software in the pump control computer, typically located inside the store or office. The transmission lines carrying unencrypted (readable) card data from the CRIND to the pump-control computer are long enough to make them vulnerable to skimming devices.
More recently, credit-card data is being stolen at gas pumps by installing a skimming device at the read head itself, which is housed in a relatively unsecure CRIND. EMV would mitigate the practice of skimming at the pumps that we face today, and so would better key/lock systems for the CRIND. Some gas station CRIND keys are still virtually universal and can open most dispensers!
Part Three: Tokenization
Finally, “tokenization” should be required to protect the historical card data once a transaction is authorized. It essentially puts substitute information, or a token, in the place of the real card and transaction information stored in a merchant’s computer system. So if the system is compromised and tokens are taken, they have no real value in the outside world unless the host system is also compromised.
The Industry’s Call to Action
These three steps range from the most obvious—making sure the card is legitimate—to never allowing the card data to be in the clear throughout the transaction and making sure it is stored in a way that is unusable to hackers. They are the most critical elements for creating a truly secure payment system.
On the security-solutions side, industry partners need to work together to develop the most cost-effective solution possible for all merchants. Hardware/ software vendors and the payment-processing industry need to work together to create the most economical way to effectively combat data theft and fraud. No one currently has a solution that includes all of these features for PATP. Such a solution needs to be developed.
As for petroleum merchants, it’s time to stop thinking in simple terms of comparing the cost of fraud losses vs. the cost of installing the necessary data security technology. If you believe that requiring a PIN with your magnetic-stripe system provides as much security for less cost vs. an EMV card system, then install a PIN system! Your reputation is at stake, so accepting the liability of fraud losses, as many petro companies do, is not a good bargain. Combining a simultaneous EMV, E3 and tokenization system in PATP locations will enable you to leapfrog existing security architecture and give your customers peace of mind when they buy from you.
Fighting this battle isn’t cheap, which is why there will be some resistance to this three-part process in the petroleum industry and many others. Unfortunately, data theft and fraud are ongoing threats that could strike your company at any time—I know! So the question to ask is not how much improved security will cost now, but what the cost would be if millions of consumers started wondering, “Is it safe to buy at …?”