Outdoor EMV helped defray fraud, but what about improving security and protecting cardholder data for petroleum marketers?

For petroleum marketers and convenience store operators now on the other side of Outdoor EMV implementation, payments at the pump seem more secure and less prone to fraud.  This view is only somewhat true, however:  Committing fraud by way of stolen card is now more difficult, but sensitive payment data (i.e. – credit card account numbers) is both more vulnerable and more under attack than ever before. Outdoor EMV compliance has brought new devices like outdoor payment terminals (OPTs) on automated fuel dispensers (AFDs) onto IP-based networks, creating new opportunities for attackers to exploit systems that have yet to be hardened against black hat activity. 

Patrick Raycroft, Convenience and Energy Lead at W. Capra, posited, “The petroleum industry, and especially automated fuel dispensers, have always faced security challenges. Solutions for protecting cardholder data are often complex, expensive, and difficult to test, implement, and manage.  However, at this moment, petroleum payment card systems are under attack now more than ever before. When it comes to payments data across all retailers, retail petroleum has often been the slowest in the herd to implement more robust data security capabilities, thus making them ripe targets.” 

One of the most robust ways to improve payment cardholder security posture is by implementing point-to-point encryption (P2PE).  Raycroft further stated, “Point-to-point encryption does just that–it encrypts cardholder data and ensures it is never traversing your environment in the clear.  It’s not a silver bullet or the final solution to all security needs, but it renders cardholder data unusable and prevents it from becoming part of a potentially expensive and explosive data breach.”  

While there is industry fatigue following the investment and effort of implementing Outdoor EMV, further security solutions like point-to-point encryption are still needed to avoid the financial and public relations impact of potential breaches. Raycroft added, “The cost of not taking action will be significantly higher than any project to implement something like point-to-point encryption, even with the complexity therein.” 

Implementing point-to-point encryption may seem like a daunting project to take on given the nuanced complexities of software availability, disjointed fuel dispenser types in play, and considerations like fleet or local loyalty programs and the need for some data to still flow without encryption.  “As with any program, working with partners/experts in industry to clearly design, plan, test, implement, and define operations is critical.  It’s impossible to answer the questions you may not know to ask,” Raycroft maintained. 

Patrick Raycroft is dedicated to assisting W. Capra clients with navigating the paths and assisting with implementing solutions.  For further discussion, contact Patrick at ptraycroft@wcapra.com. 

Leave a reply