NATIONAL REPORT — Retailers know more about their customers today than ever before. Information captured through loyalty programs paints a clear picture of them: what they like to eat and drink, when they like to shop, and even if they have children in their household or not.
The bad news for convenience store retailers, though, is that they're not the only ones interested in collecting information from their customers. Data thieves are, too.
What is it about the convenience channel that makes it an attractive target for data thieves?
As Marc Schultz, head of data privacy and security at Newton, Mass.-based customer engagement solutions provider Paytronix, sees it, there is a natural tension between the need for speed in the convenience channel and the need for security.
"Convenience stores are about speed and convenience. Consumers don't often think of low-value and high-frequency transactions found in convenience stores as high risk, until there is an issue, but bad actors consider those same factors in their favor," Schultz told Convenience Store News. "Large numbers of transactions generate a lot of valuable personal and financial data, including order history and credit card information."
Additional risk factors include independent locations that are oftentimes staffed by a single employee, and real or perceived limited in-house security and technical resources.
A high traffic count and a high employee turnover rate are also driving factors, according to Carl Mazzanti, president and co-founder of Hoboken, N.J.-based eMazzanti Technologies, a provider of cloud, information technology and network services.
"It is difficult to deliver compliance or standardization. In the retail space, there are 16-year-olds to 100-year-old people working…," Mazzanti explained. "In convenience stores, you usually have a lot of transient workers. It is difficult to deploy standards across all the stores without having a regional or district manager go by the stores on a regular basis."
Detection Delays
Late 2019 brought the news that Wawa Inc., a popular c-store chain with locations in the Mid-Atlantic and Florida, experienced a data breach that potentially affected all of its locations. In an open letter to customers, Wawa CEO Chris Gheysens said malware affected payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained on Dec. 12, 2019. The malware was present on most store systems by approximately April 22, but wasn't identified by the retailer's information security team until Dec. 10.
Two months later, on Feb. 13, fellow Pennsylvania-based convenience store chain Rutter's reported a similar breach. According to the company, a third party reported the possibility of unauthorized access to data from payment cards that were used at some Rutter's locations.
Rutter's launched a subsequent investigation with the help of cybersecurity firms, and notified law enforcement. According to the retailer, the security breach timeframe varied by store location, but generally fell between Oct. 1, 2018 and May 29, 2019.
As evidenced by the incidents at Wawa and Rutter's, it could take several months for a retailer to detect a breach. Perpetrators may let a device — like in the case of skimmers at the pump — sit there for months before removing it and using the data for malicious activity.
Mazzanti said there are several reasons for the lag in detection: "One, sometimes your payment gateway provider doesn't correlate the problem fast enough. Two, sometimes the FBI decides not to let anyone know it is occurring because they want to catch the perpetrators; the FBI lets the breach continue while it narrows down who the party is."
Other times, according to Mazzanti, the perpetrator may hold onto the stolen data for a while.
"Bad people run a business. Revenue comes in, what they have stolen, and they have expenses — what it costs to run a campaign, what it costs to find people to buy the stolen data, what it costs to run servers. They are running an organization that has expenses. If what they have to sell isn't worth as much, they may hold on to it like an asset and sell it later on," he said, explaining that the value of a card number can drop when there are more numbers for sale.
Still, whether a security breach is detected immediately or nine months later, the impact on a convenience store operator is largely the same, according to industry experts.
"The two immediate results are loss of consumer trust and financial losses, but perhaps the most painful and long-lasting impact comes in business disruption," Schultz said. "C-stores, like other retailers, must redirect scarce resources to short-term and immediate investigations and to longer-term additional reporting and control requirements."
How to Protect Your Business
The convenience channel presents a large number of attractive and potentially vulnerable endpoints.
Inside the store, implementing EMV chip technology at the point-of-sale cuts down on data theft by making it harder for bad actors to steal card information. So, EMV upgrades at the forecourt — which have a new April 2021 deadline — should help ease problems at the pump.
"EMV at the pump has and will help, but it is unreasonable to think any single technology will eliminate all threats. EMV has been effective as one part of a comprehensive set of security controls," Schultz explained. "Beyond EMV, we'll see continued innovations in areas like mobile payments. So, we can't fall back on any specific technology to be the answer to all our ills."
According to the Paytronix executive, there are five primary steps that c-store operators can take to protect consumer data:
- Use trusted partners;
- Minimize the amount of sensitive data collected;
- Protect sensitive data collected by restricting and monitoring its access;
- Securely delete data that is no longer needed; and
- Apply security patches in a timely fashion.
Ultimately, safeguarding your stores will force perpetrators to look elsewhere.
"Your convenience store has to be more complicated to go after than another one they can walk into," Mazzanti advised.
IT firms have many tools available that retailers can use to make their stores “more complicated” for criminals, he pointed out. "For not a lot of money, you can make it difficult for a bad person to take advantage [of your business]," he said.