Skip to main content

How to Prevent Data Breaches

LAS VEGAS — Data breaches are serious business, with companies spending $6.5 million on average in the aftermath of such incidents, Kara Gunderson, POS manager for CITGO Petroleum Corp., said during the “Mitigating Card System Breaches” educational session Sunday at the 2015 NACS Show. In addition, a convenience store retailer’s reputation could be seriously damaged, something much tougher to put a price tag on.

Preventing data breaches requires efforts on multiple fronts, but a good place to start is preventing automated fuel dispenser skimming, the most frequent form of data theft.

“Skimming devices are more sophisticated, tougher to detect and better at stealing data,” cautioned Gunderson.

To mitigate breaches at the fuel dispenser, she provided four pieces of advice:

  • Install tamper-proof stickers;
  • Replace standard locks on fuel dispensers;
  • Inspect fuel dispensers regularly; and
  • Add EMV (Europay, MasterCard and Visa) card readers at the dispenser.

Protecting customer data is the ultimate goal, noted Phil Schwartz, I/S Manager, Credit Card Systems for Valero Energy Corp., the second panelist speaking during the educational session.  

C-store retailers should make sure employees cannot freely surf all Internet sites. “White listing” (blocking) sites that can cause harm, installing a firewall, using two-factor authentication, and updating anti-virus software on a daily basis were some of the recommendations offered by the panelists. 

Passwords must be strong and changed often as well. “Unlike diamonds, passwords are not forever,” said Schwartz, Convenience Store News’ 2015 Technology Executive of the Year. “They should be changed every 90 days.”

He also stressed that once c-store retailers have implemented these anti-breach measures, they should conduct penetration testing to make sure the efforts are effective.

Schwartz concluded by stressing that c-store retailers who simply have required payment card industry (PCI) compliance are not safe from breaches.

“Compliance is required. Security should be your goal,” he said.

This ad will auto-close in 10 seconds