Industry View: Target Breach Is a Wake-Up Call
ATMs and many retail PIN pads today have tamper-resistant security modules (TRSMs) and use either triple data encryption standard (TDES) devices or more sophisticated AES algorithms. The only place where data is not encrypted is a very short wire—1 or 2 inches at most—inside the hard shell device that connects the card read heads with the encryption mechanism. There are no reports to date of electronic skimming devices successfully capturing data from these short wires.
Unfortunately, most c-stores and gas stations do not have encryption capabilities in their unattended fuel payment devices, which include a basic card reader in the dispenser (CRIND). Instead, card data is typically encrypted by software in the pump control computer, typically located inside the store or office. The transmission lines carrying unencrypted (readable) card data from the CRIND to the pump-control computer are long enough to make them vulnerable to skimming devices.
More recently, credit-card data is being stolen at gas pumps by installing a skimming device at the read head itself, which is housed in a relatively unsecure CRIND. EMV would mitigate the practice of skimming at the pumps that we face today, and so would better key/lock systems for the CRIND. Some gas station CRIND keys are still virtually universal and can open most dispensers!
Part Three: Tokenization
Finally, “tokenization” should be required to protect the historical card data once a transaction is authorized. It essentially puts substitute information, or a token, in the place of the real card and transaction information stored in a merchant’s computer system. So if the system is compromised and tokens are taken, they have no real value in the outside world unless the host system is also compromised.
The Industry’s Call to Action
These three steps range from the most obvious—making sure the card is legitimate—to never allowing the card data to be in the clear throughout the transaction and making sure it is stored in a way that is unusable to hackers. They are the most critical elements for creating a truly secure payment system.
On the security-solutions side, industry partners need to work together to develop the most cost-effective solution possible for all merchants. Hardware/ software vendors and the payment-processing industry need to work together to create the most economical way to effectively combat data theft and fraud. No one currently has a solution that includes all of these features for PATP. Such a solution needs to be developed.
As for petroleum merchants, it’s time to stop thinking in simple terms of comparing the cost of fraud losses vs. the cost of installing the necessary data security technology. If you believe that requiring a PIN with your magnetic-stripe system provides as much security for less cost vs. an EMV card system, then install a PIN system! Your reputation is at stake, so accepting the liability of fraud losses, as many petro companies do, is not a good bargain. Combining a simultaneous EMV, E3 and tokenization system in PATP locations will enable you to leapfrog existing security architecture and give your customers peace of mind when they buy from you.
Fighting this battle isn’t cheap, which is why there will be some resistance to this three-part process in the petroleum industry and many others. Unfortunately, data theft and fraud are ongoing threats that could strike your company at any time—I know! So the question to ask is not how much improved security will cost now, but what the cost would be if millions of consumers started wondering, “Is it safe to buy at …?”