The April 2021 deadline for implementing EMV at the pump is now in the rearview mirror. Ahead of the final deadline, which was extended from October 2020 due to the COVID-19 pandemic, the c-store industry substantially grew its ability to offer outdoor EMV acceptance. Now, retailers now must turn their focus to implementing another technology at the dispensers to further reduce risk of credit card acceptance.
C-store and fuel retailers now look to be prime targets for cyber-attacks focused on extracting sensitive payment card data, as shown by a recent spate of attacks in the vertical.
Despite common misconception, enabling outdoor EMV acceptance doesn’t prevent an operator from becoming the next retailer on the news because of a wide-scale credit card breach. While a strong mechanism for preventing counterfeit fraud, EMV solutions do not secure underlying payment card data itself — and cyber criminals are well aware of this critical vulnerability.
Similar to EMV enablement, retailers are unfortunately behind in implementing solutions to secure payment card data. Most retailers in other verticals have implemented one or both of two separate but linked cryptography-based technologies used to protect card data:
Point-to-point encryption (P2PE): In some implementations referred to as end-to-end encryption (E2EE), P2PE encrypts payment card data within the payment terminal, ensuring data is protected until it is decrypted at a secure point above-site (oftentimes at a retailer’s payment provider). P2PE protects card data during payment processing.
Tokenization: Tokenization complements P2PE solutions by replacing payment card data with less valuable tokens, which can then be stored and used for future payment processing. Tokenization protects card data following payment processing.
These two technologies in combination render payment card data near worthless in the event of a breach of site-level of corporate systems. Accordingly, implementing P2PE and tokenization transfers/reduces the substantial risk of processing clear-text payment card data.
So, given the risk mitigation benefits, why haven’t c-store retailers implemented these technologies?
As with most site technology, implementing P2PE in convenience and fuel presents challenges beyond those faced in other verticals:
Solution availability: Payment solutions in other verticals have been supporting P2PE for several years. However, fragmentation in dispenser hardware, payment software and payment processors continues to challenge providers in delivering fit-for-purpose P2PE solutions to the c-store market. While some solutions are available, these solutions do not currently cover the entire convenience and fuel market.
Deployment: Deploying P2PE requires distributing both software changes and encryption keys to sites. Even today, many retail sites do not have technology in place to remotely deploy changes to payment terminals on dispensers — meaning that operators may yet again have to send technicians to their locations to implement P2PE.
Still, c-store retailers are moving forward with implementing P2PE at the dispenser. For those looking to start, ask existing solution providers to answer key initial questions:
- What P2PE solution(s) is certified on my payment processing stack (dispenser hardware, payment software and payment processor)?
- What remote management capabilities can remotely deploy changes required to enable P2PE?
By starting this process, c-store retailers can move closer to removing payment card data from their environments. These technologies reduce potential impacts of cybersecurity breaches — oftentimes, breach costs, brand reputation impacts, that can run into the tens of millions of dollars. It’s critical that P2PE becomes the focus of today.
Patrick Raycroft, Convenience and Energy vertical lead at W. Capra Consulting Group, can be reached at [email protected] or visit www.capraplus.com.