Enhancing Cybersecurity at Your C-store

Big or small, a data breach is a real concern to any retailer. The magnitude of technology that supports online retailing, increases in the number of transactions processed and the rise in stored data make retail a major target for cybercriminals. Ultimately these attacks can negatively impact brand reputation, customer confidence and the retailer’s bottom line. 

“The franchise and brand risk that goes with not being exceptional in this space is so much greater than the actual financial damage. It’s the reputational damage, which is uninsurable,” Guy Chiarello, president Atlanta, Ga.-based First Data, a payment technology and services provider, said at a First Data Cybersecurity Symposium.

During 2014, cyber attackers stole more than 61 million records from retailers, and there was a 43-percent increase in records reported compromised compared with 2013, Armonk, N.Y.-based IBM Security researchers reported.

Moreover, the average cost of cybercrime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014, according to the “2014 Cost of Cyber Crime Study: United States,” a report from Traverse City, Mich.-based Ponemon Institute that was sponsored by Hewlett Packard Enterprise Security.

A Call for Collaboration

For the convenience store industry, increased information sharing and stronger layers of protection are essential defenses in combating the types of cybercrimes that have made headlines in recent years.

To facilitate collaboration, NACS, the Association for Convenience & Fuel Retailing, recently joined forces with retailers, banks, credit card companies, security and technology vendors and others to form the Merchant Financial Services Cybersecurity Partnership. The partnership will focus on exploring paths to increased information sharing, better card security technology and maintaining the customers’ trust.

“What we have recognized is that every industry is vulnerable to cyber thieves. Everybody is being breached,” said Paige Anderson, NACS' director of government relations. “What we are also finding is that there is a lack of information sharing. The ultimate goal of the group is to recognize that we are all in this together, so let’s work on finding solutions together.”

A Push for Stronger Credit Card Security

While Anderson noted that the c-store industry does not store a lot of data besides employee records, she acknowledged that the use of electronic payment networks opens a door through which credit card information can be stolen.

To strengthen retailers’ line of defense, NACS has lobbied for chip-and-PIN (personal identification number) technology instead of magnetic stripes to authenticate payment transactions. Anderson expressed NACS’ disappointment in the limitations of the newly enhanced Payment Card Industry Data Security Standards (PCI DSS) mandates.

PCI DSS version 3.0 sets an October 2015 deadline for U.S. banks and card companies to switch to chip-enabled cards with embedded computer chips that make them more difficult to duplicate. The mandates do not, however, require PINs to be issued with the new credit cards. The more advanced chip-and-PIN technology, widely used in Europe, Australia and Canada, would have provided an added level of security, said Anderson.

“We believe that just requiring a PIN number would make consumer data safer,” she said. “A lot of our c-store members have implemented a requirement to put in a zip code at the point of purchase. That is just an added layer of security and stores doing that have seen a significant drop in credit card fraud.”

Anderson likened the increased security of requiring credit card PIN numbers to debit card PINs. “Unfortunately, as we get improved technology into the marketplace, we are not putting the safest standards in place to go along with the improved technology,” she said.

“We want to have safe systems because we want the consumer to feel safe. Having a secure system is a win-win for everybody,” Anderson added. “As technology gets better, thieves get smarter. They are always looking for ways to get around the system. We don’t want any vulnerable links in our chain of payment.”

Small Operators, Big Challenges

While NACS represents more than 151,000 c-stores nationwide, about 60 percent of its members are single-store operators who are often exposed to greater cybersecurity vulnerabilities, Anderson noted.

“Your larger chains that have hundreds of stores are going to have more sophisticated data security systems in place,” she said.

The NACS/Conexxus WeCare Data Security Program helps small operators achieve a base level of data security without incurring significant costs by providing simple guidelines and best practices to help reduce the risk of breaches.

For example, skimming devices installed where customers swipe their cards to pay at the pump are a common threat c-store retailers face. The skimmers can copy account data from the card’s magnetic strip, along with a PIN if it is typed in for a debit card transaction.

NACS offers tamper-evident WeCare decals that can help retailers identify potential security breaches if skimming devices are inserted at fuel dispensers or other unattended PIN-entry devices. The security labels are to be used on any access door and are designed to span access door and terminal body. If the label is lifted to insert a skimming device, a "void" message appears on the label, providing a visual alert to store employees so additional action can be taken. The decals represent just one more layer of defense in a c-store retailer’s cybersecurity plan.

“As far as breaches go and attempted hacks go, we are definitely seeing an increased wave. It is a day to day,” Anderson said. “The question is how far the thieves are able to get into the system. That has depended upon the company.”