Few industries have been hit harder by cyberthieves than convenience stores (C-stores) and petroleum. The data breaches of industry giants like Wawa, Shell and Hyvee make it clear that no gas station or C-stores is safe from cyberattacks — but there are measures that businesses can take to beef up their payment security, including PCI-validated point-to-point encryption (P2PE).
From the complex and unique environment of petrol and convenience stores to the ins and outs of encryption, here’s everything you need to know about why PCI P2PE and the pump make a perfect pair.
And for a deeper dive on encryption solutions in the petroleum and convenience store industry, join us at our webinar in partnership with Connexus, “Securing Payments Across the C-Store Environment with PCI-Validated P2PE,” at 12 PM EST on April 22, 2021.
Why EMV Implementation Isn’t Enough
2020 was a tough year for cybersecurity, with the FBI receiving 300,000 more complaints about cybersecurity than in 2019. The global pandemic only made organizations more vulnerable to data breaches, and the petroleum and C-store industry was no exception. Most notably, COVID-19 forced credit card associations to shift the deadline of EMV implementation in the petroleum sector to April 2021. While the delay gave gas stations more time to adjust, it also gave hackers more time to pilfer valuable data from outdated and vulnerable mag-stripe payment systems.
The use of EMV technology is sure to bolster the petroleum sector’s cybersecurity, weeding out fraudulently cloned credit cards that rely on the magnetic stripe to pass as legitimate. But unfortunately, EMV chips aren’t enough to protect an organization’s data from a breach. To truly keep data secure, petroleum providers need to do more than prevent fraudulent transactions — they also need to protect legitimate ones.
Whereas EMV chip technology prevents hackers from using cloned credit cards, it doesn’t protect legitimate data from being stolen in the event of a data breach. PCI-validated P2PE, on the other hand, immediately encrypts payment information upon swipe, dip, tap or key into a P2PE point-of-sale (POS) device. PCI P2PE effectively devalues the data by preventing clear-text cardholder information from reaching a merchant or organization’s system or network, where it could be compromised during a breach.
While not mandated by PCI or the card associations, PCI P2PE has seen significant adoption among retailers, restaurants, healthcare organizations, higher education and more, and is currently the highest level of encryption available to protect POS payment data The major industry exception to adoption of PCI P2PE has been in the petroleum sector.
The lack of PCI P2PE adoption among fuel merchants stems from several factors, ranging from the legacy and complicated infrastructure of fuel dispensers and their associated convenience store systems, to the fact that until 2020, no true PCI-validated P2PE solution has been available for this industry.
Inherent Vulnerabilities in the Petroleum Environment
Petro and C-stores have unique and complex payment environments. From taking fleet, prepaid, proprietary, access, loyalty and then the PCI brands, the information needed to process transactions is complex and some current systems often need access to all card data to make those business decisions and approvals. This leaves them in danger of exploitation and other malicious actions.
Fuel merchants also boast accompanying convenience stores, where there are a myriad of payment acceptance points — from in-store to the car wash and, now, with COVID-19, mobile and curbside pickup payments. All of these transactions run through several points before reaching the centralized controller in the back-office.
One of the biggest challenges in the petroleum space is that the complexity of payments are so diverse that it is difficult to manage in-route transactions without having access to the full clear-text payment card data. Many fuel merchants have multiple brands under their banner and could have one group processing with one payment acquirer, another group processing with a different acquirer, and a third group with a different acquirer — with each of the three having a different mix of vendors, payment terminals and more.
Why PCI-validated P2PE for the Pump?
PCI’s P2PE standard requires that payment card data be encrypted immediately upon use with the merchant’s POS terminal and cannot be decrypted until securely transported to and processed by the validated P2PE solution provider.
A PCI-validated P2PE solution is required to have the following:
- Secure encryption of payment card data at the POI / i.e., the payment terminal
- P2PE-validated application(s) at the POI
- Secure management of encryption and decryption devices
- Decryption done in hardware
- Management of the decryption environment and all decrypted account data
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection and administration
A Defense-in-Depth Approach to Security
While EMV has been hailed as a solution to protect payment data at the pump, the EMV chip does not provide any encryption for the credit card primary account number (PAN), expiration date, or cardholder name — three sensitive data elements classified as cardholder data and required to be protected according to PCI DSS.
Payment acceptance in petroleum and C-stores require a layered security approach that not only includes EMV for card authentication, but PCI P2PE for the immediate encryption of card data. The petroleum sector must not lose sight of the need to encrypt payments as they work to meet the 2021 EMV deadline.
The Industry’s First P2PE Solution Just for Petroleum
Bluefin, the leading provider of PCI-validated P2PE and data security solutions, has been diligently working on the first-ever PCI-validated P2PE solution with industry partners that will encrypt payment data not only at the pump, but also within the C-store environment.
For more information on Bluefin’s solution, attend our upcoming webinar in partnership with Connexus, “Securing Payments Across the C-Store Environment with PCI-Validated P2PE,” at 12 PM ET on April 22, 2021.