Beware of forecourt cyber attacks, warns TSG

The COVID-19 pandemic has expedited the use of digital tools in fuel retail outlets across the world, particularly contactless payment systems, leaving some operations more vulnerable to cyber-attacks, according to Steve Watts, sales director of TSG Solutons.

He says prevention is much less damaging than cure, and is keen to offer advice on how fuel retailers can protect themselves against the risk of cyber-attack.

”While advances in digitalisation have brought many benefits to the retail sector, they have also led to increasingly frequent, costly and damaging cyber incidents, exacerbated by the COVID 19 pandemic,” says Watts.

”As retailers and organisations worldwide increased their reliance on digital systems to cope with the crippling impact of lockdowns, cyber-criminals saw new opportunities for attack. The retail sector became a priority target for ransomware during 2021, with an estimated 44% of outlets worldwide experiencing an attack, compared to 37% across all industry sectors.”

What is ransomware?

During a ransomware attack, Watts explains that often the victim’s data is encrypted, blocking access to critical databases and causing IT outages affecting tills, card payments and back-office systems until a ransom payment is made.

Data has become one of the world’s most valuable commodities. If critical information gets into the wrong hands, retail organisations could find themselves between a rock and a hard place – pay a ransom or risk confidential data being leaked online.

What are the impacts?

Cyber security attacks, whether they disrupt critical systems or threaten to leak confidential data online, have real and devastating consequences for retail businesses, including:

• · Reputational damage – resulting in the loss of trust among customers and business partners.
• · Downtime – loss of business continuity and revenue.
• · Financial impact - the cost of containing and rectifying the incident.
• · Data breach - loss of intellectual property or confidential information, potentially leading to lawsuits.
• · Non-compliance – the risk of penalties for GDPR contravention relating to the loss of personal data.

”According to cyber security company Sophos, the average bill for rectifying a ransomware attack in the retail sector, considering key factors including downtime, people time, device cost, network cost, lost opportunity and ransom paid was US$1.97 million,” says Watts.

”The study of over 5,000 IT managers from a variety of sectors across the globe, found that around one-third of organisations had chosen to pay the ransom which resulted in an average return of 67% of compromised data, with the rest remaining inaccessible.”

Integrated EPOS – a safe choice?

Integrated electronic point-of-sale (EPOS) systems are designed to seamlessly connect the various systems on the service station including dispensers, indoor and outdoor payment, fully integrated CCTV, tank-level gauges, price pole signs, back office and car wash.

”This level of integration makes life easier for site owners and their staff by providing them with more time to better serve customers, but the digital integration increases the risk of malware if systems are not securely protected,” says Watts.

Prevention is better than cure

To mitigate these risks, Watts says fuel site operators should choose EPOS and payment solutions with integrated data security and privacy measures that comply with (or exceed) the strict data security regulations enforced by the Payment Card Industry Data Security Standard (PCI DSS).

Systems that operate via a virtual private network (VPN) prevent fraud by encrypting the customer’s identity and payment details as transactions are made, providing increased control of credit card data and limiting the entry routes for cyber criminals.

Forecourt owners can set user permissions and restrict access rights to the system, where each individual user has their own unique identifier and complex password. This ensures that all activity can be traced to a known user and accountability can be maintained. Data security is a prerequisite for any cloud-enabled, connected solution and therefore, no card numbers or sensitive personal data should be stored.

Leave it to the experts

To avoid becoming another statistic in the growing number of cyber-attacks on fuel retail sites, Watts says retailers should take a proactive approach and seek advice from the experts: ”Choose a respected, experienced and well-established supplier who can support secure EPOS and payment systems and offer guidance on existing site security, as well as managing the installation and commissioning process.

”There is so much that can be done to protect the integrity of customer data, preserve reputation, mitigate the risk of financial loss and safeguard the forecourt against cyber criminals – don’t get caught out, take action now!”

 

Taking data protection to a new level

Watts points out that Tokheim’s EPOS sytem, Fuel POS, helps to manage all aspects of the fuel and retail business. When used in conjunction with Tokheim’s online authorisation and switching environment (OASE), a system which converts all payments made from bank cards in accordance with their specific security guidelines, data protection is taken to a whole new level.

”Like Fuel POS, OASE is regulated to PCI DSS standards and owing to its non-reliance on third-party software has become recognised as one of the most secure payment systems on the market today,” he says.

”If support is required for either system, remote access can only be gained by one of six highly-skilled technicians, once permission has been granted by the site. The dedicated server is housed in a locked-down room, which is protected against physical attacks by restricted security card access. Together, the Fuel POS and OASE payment system make a formidable team in the fight against cybercrime.”

For more information on TSG’s products and services visit: www.tsg-solutions.com/uk