Cyberattacks on gas stations and convenience stores (C-stores) have spiked over the past several years. The industry has become an increasingly attractive target because of the diverse customer information stored in fuel merchant systems and its numerous payment acceptance points.
It doesn’t help that the fuel industry has also been slow to adopt payment security technologies and practices — partly because of its complicated payment infrastructure. In 2020, 40% of midstream oil and gas companies reported an attempted or successful data breach, but only 7% updated their written security policies.
As of April 2021, gas stations and C-stores in the U.S. are required to comply with Europay, Mastercard, and Visa (EMV) technology. This means establishments must use systems that accept EMV cards, which have an embedded chip to secure payments. But with data breach and compromise numbers soaring, transactions at these establishments are not always as secure people might think.
The complex fuel payment infrastructure
Since the petroleum payment infrastructure and its technology were introduced nearly 30 years ago, the industry has been slow to evolve alongside regulations. Processing and routing transactions has become more complicated than in other industries for a few reasons:
- More card types: Fuel payment systems accept multiple card types, including gift cards, proprietary cards, Fleet and loyalty cards.
- More payment acceptance points: Most fuel merchants have an accompanying C-store, which creates various payment points — from the fuel pump, car wash and in-store purchases to a mobile order or kiosk.
- More players involved: There are several stakeholders involved that make gas station transactions possible (e.g., card issuers, point-of-sale platform providers, fuel controller providers and pump manufacturers).
The combination of these factors makes it difficult to manage in-route transactions — especially without access to full, clear-text payment card data. This is (in part) why the industry has been slow to adopt payment security technologies.
In 2012, major card associations such as Mastercard, American Express and Visa declared they would swap out magnetic stripe cards with EMV chip cards. Amid the COVID-19 pandemic, the deadline for EMV compliance was extended to April 2021 for gas stations and C-stores. But the industry has been slow to migrate toward EMV compliance — even just after the deadline, less than half of major fuel and C-store merchants had fully implemented EMV across all franchises.
Prior to the EMV mandate, gas stations and C-stores only had to comply with the Payment Card Industry Data Security Standards (PCI DSS). This means they must encrypt magnetic card data must upon transfer, but the information does not get stored in the payment system. But breaches occurring at the pump (where a customer enters payment information) and in back-office computers (where payment data gets stored or processed) tells us this encryption may not occur as routinely as we think.
EMV: a good step, but not enough
While EMV represents a move in the right direction, it doesn’t encrypt three critical data points: the card’s primary account number; the cardholder name; and the card’s expiration date. So, while many organizations think they are compliant, PCI-DSS compliance has been on a steady decline, falling from 36.7% in 2019 to 27.9% in 2020. As the only encryption solution recognized by the PCI Council, PCI-validated point-to-point encryption (P2PE) can fill this security gap. In fact, Visa distributed a security alert in 2019 urging fuel merchants to adopt P2PE at the pump.
P2PE has been available for nearly 10 years now, but many vendors mislabel their solutions as P2PE when they are actually end-to-end encryption (E2EE). A true, PCI-validated P2PE solution encrypts card data at the point of interaction (POI) and can’t be decrypted until it’s securely transported to a solution provider’s decryption environment, located and managed outside of the merchant environment. This method of encryption makes data indecipherable to attackers, so even if a bad actor accesses a database in the event of an attack, they can’t sell it or commit fraud. Additionally, PCI-validated P2PE enables C-store merchants to reduce up to 90% of their PCI scope, including compliance requirements and associated costs.
An E2EE solution provides similar functions as P2PE, but E2EE isn’t assessed by the PCI. Using a PCI-validated P2PE solution not only can help detect tampering and keep your customers’ data safe, but also eliminates the need for costly, time-consuming PCI-DSS assessments.
The gas station and C-store sector has been moving in the right direction toward more secure payments, but there’s room for improvement. EMV alone isn’t enough to facilitate truly secure transactions, and that’s why a layered security approach makes sense. As the gas station and C-store sector continues to move toward EMV adoption, it’s important to keep in mind that encryption at POI has become critical for secure transactions.
Ruston Miles, founder and cybersecurity advisor, Bluefin
