CHICAGO -- Representatives from technology standards group Conexxus gave Chicago’s NACS Show 2017 attendees a sobering but informative picture of the state of cybersecurity and payments in retail.
“There is no silver bullet. It’s an effort that’s going to cost a lot of resources,” said George Rice, senior director of payments for Voltage Security and one of the speakers in the TechEdge session on managing cybersecurity hosted by Conexxus, Alexandria, Va.
The NACS Show's TechEdge education sessions gave attendees updates on new tech developments and best practices. Subjects covered in these sessions ranged from how to use software to engage the workforce to building, managing and measuring a foodservice business with technology.
In one session, Linda Toth, the director of standards for Conexxus, warned attendees that while the deadline to switch outside payment capabilities to EMV (Europay, Mastercard, Visa) security standards is not a mandate, consumers will increasingly demand the technology. Those that wait to switch to EMV could be a target for bad actors looking to take advantage of softer security.
Click through for more information on these sessions about the state of cybersecurity and payments in convenience retail, and what operators can do to stay ahead of these issues …
Just encrypt it
Rice explained to attendees of the Oct. 17 session on cybersecurity that data is most vulnerable when it moves between systems. For instance, consumer information being sent from a store’s point-of-sale (POS) to the store’s IT center can be targeted and scooped up by cyber thieves with the right tools and know-how—or even by ill-intentioned employees with easier access to a store’s systems.
The solution to this problem, according to Rice, is encryption—specifically, point-to-point encryption (P2PE). Encryption scrambles the data into an unreadable code that can only be read once it reaches its destination. P2PE secures the data the entire time it moves between systems.
This is especially important for 16-digit credit-card numbers. Rice recommended systems that keep the first four to six digits of the number—the bank identification number (BIN)—and the final four digits of the credit-card number unencrypted.
This may seem counterintuitive at first glance. Why leave pieces of the data vulnerable? But bad actors need the entire number to do damage with the information, while leaving the first six and final four numbers unencrypted allows the data to function in the POS without having to unencrypt the complete numbers whenever it needs to be accessed.
Prepare for the worst
Another speaker at the TechEdge session on cybersecurity, Chris Lietz, principal of cyber risk for Westminster, Colo.-based Coalfire, said that conversations on cybersecurity are moving from the IT office to the boardroom, where 89% of publicly traded companies now address cybersecurity issues.
Lietz said that risk management concerning cybersecurity is vital, using the recent Equifax breach as an example. While he did not speculate on exactly what mistakes Equifax made in the handling of its breach, he said that most of its trouble was from a lack of planning and that other businesses could avoid making the same mistake if they make necessary preparations.
Even with the most robust cybersecurity operation, no business is completely immune to a data breach or cyberattack, but having the right tools can drastically lower the chances of cybercrime and improve a company’s ability to respond if struck.
Lietz said that one of the most authoritative resources for tips on proper cybersecurity standards is the National Institute of Standards and Technology, an arm of the U.S. Department of Commerce, which offers a framework for improving cybersecurity.
Read the EMV fine print
While the liability deadline to switch outside hardware over to EMV security standards has been pushed back to Oct. 1, 2020, there are some caveats. Kara Gunderson, POS manager for CITGO Petroleum Corp., Houston, went through a few of them during an Oct. 19 educational session on the state of payments and data security technology.
As of Oct. 1, 2017, businesses that hit an excessive chargeback threshold may not be eligible for the three-year EMV extension. A chargeback is when a credit-card provider demands that a retailer makes good on the loss of a fraudulent or disputed transaction, so it is important that those delaying the switch to EMV pay special attention to fraud prevention.
The extension period only applies to U.S.-issued cards for some brands. This means that retailers could still be liable if customers with some foreign-issued cards are victims of fraud at one of their stores.
And just because a retailer has switched to EMV-enabled hardware does not mean they have met Payment Card Industry Security Standards Council (PCI-SSC) standards, according to Toth of Conexxus. “EMV is one layer in a multilayer approach to avoid fraud.”
Stay vigilant against skimming
“This is prevalent, and it will remain prevalent,” said Toth during the Oct. 19 session regarding the threat of skimming.
Toth said that businesses victimized by credit-card skimming could experience a loss of customer confidence, a dip in sales, a decreased reputation and more. She suggested taking advantage of the NACS WeCare program. The steps the program recommends are a good starting point for implementing proper data security best practices to reduce the risk of breaches and fraud. NACS also offers tamper-evident labels in coordination with the SkimDefend app from Pinnacle Corp., which gives operators a tool to track anti-skimming efforts at each retail location.
Toth also suggested improved hardware. The change can be as simply as improved lighting in the forecourt to make it more difficult for skimmers to tamper with the pumps without being caught. There are also secure card readers on the market, encrypted PIN pads and next-generation fuel dispensers with built-in fraud detection.