Store Data Deserves Protection Too

The following, written by W. Capra’s Ed Collupy, has been re-posted from C-Store Decisions.

As c-store retailers implement enhanced inventory-management solutions, they should also consider doing more to secure inventory data.

So much of the attention on data security in the last few years has been focused on payments and many companies throughout the convenience fuel retailing industry have implemented measures to protect their customer’s data.

But industry leaders indicated in a recent survey that data security, beyond payments, was high on their list of what keeps them up at night.

During this same period many leading c-store operators have been implementing enhanced inventory-management solutions that result in significant cost savings freeing up capital due by reducing overstock, having the right items in stock to meet customer demand, and being able to more accurately measure category margin performance.

In another recent study, shared at the RetailROI Super Saturday event, inventory management systems rank No. 3 for where retailers will be making investments in 2017.


Taking a view of data security through an information risk management lens leads one to realize that there is much at stake should any information driving business processes and decisions be breached. Any disruption that doesn’t ensure an adequate inventory of product to be sold is a serious concern and should be backed up in a business continuity planning process.

With many back-office and inventory management systems now available as hosted or managed service offerings (i.e.“the cloud”) third-party information risk management and data security should be a priority in any agreements between the retailer and software/service providers.

Securing inventory data also means securing price book data where you maintain your vendor/wholesaler costs and retails. Ensuring this data doesn’t find its way into competitors’ hands is important and some retailers may be contractually obligated to maintain the confidentiality of the product costs with their suppliers.

Data security is important when it comes to the inventory management lifecycle whether it’s receiving product from vendors, regular inventory checks and audits or ordering product.

Traditionally, there are three primary reasons for closely managing inventory data:
1. Ensuring your replenishment plan is sufficient to meet sales—keeping product on the shelves without building too much inventory;
2. Managing shrink—making sure that you’re actually selling the product rather than it disappearing; and
3. Making sure that you are making sufficient margin—that the costs and prices are current and accurate.

Security threats to these objectives could be a sales disruption or more serious impact where people, internally or externally, develop a scheme including systematically hacking into and modifying inventories.


The cost of data breaches is getting cheaper for hackers, and access to the toolsets required to perform the hacks are becoming more readily available; tapping into your inventory data is becoming a more critical attack vector. The FBI in January issued an alert about “a definite uptick” in ransomware in businesses and other organizations.

Not only are these hackers demanding money to unlock what they’ve done, they also threaten to release sensitive or proprietary information. These infections can be devastating and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

A key consideration around data security and inventory management is to have in place a broad and complete security approach for third-party suppliers and vendor personnel, who have access into your systems. An integrated in-store system of point of sale, electronic payment system and back-office controllers create multiple entry points and a source of inventory data. If you allow third parties to access it, you have additional security work to do.

Consider the following as part of your defense strategy:
• Utilize or create an extranet for your supply chain systems with adequate separation from your other systems that contain sensitive data;
• Make sure you have solid Identity and Access Management standards, and apply them to third- party personnel accessing any of your systems;
• If third-party suppliers are accessing your store systems directly, secure those network connections.

Why do all this? Well, to prevent access to your margins, volume movements, daypart peaks and valleys, and the performance of your new food offer are just a few data points to safeguard.

A colleague at W. Capra, Matt Beale, whose team specializes in all things security—said recently, “And here’s the kicker… if your inventory data is walking out the door, how long do you think it will be until your credit card data or personnel data is holding its hand on the way out?”
In that case, the results can be catastrophic.

Ed Collupy, executive consultant at W. Capra Consulting Group has IT leadership and business team experience directing and supporting retail systems for store operations, merchandising, fuel and accounting teams in the c-store industry. He can be reached at

Focus 2016: Measured in Seconds

Recently, Intel Security hosted its annual flagship security conference “Focus” in Las Vegas.  The tone of the conference was set by Sr. Vice President of Intel Security and keynote speaker Chris Young.  With Intel Security set to spin off its security unit, attention was sharply focused on the soon to be CEO of the second coming of McAfee.  It was a packed house with many in the crowd surely anticipating Young’s keynote address and interview of special guest: actor and tech savvy investor Ashton Kutcher.

Over the course of Young’s nearly two-hour keynote address, time was not measured in minutes but seconds.  The second coming of McAfee and the unveiling of the new McAfee logo may have taken center stage, but it was Young’s focus on his contributions to a recently published book entitled “The Second Economy: The Race for Trust, Treasure and Time in the Cybersecurity War” that set the theme for the 4-day conference.

“The second economy is more trust-related and as we move from a physical to a virtual economy, the trust factor and our ability to deliver a real cyber security capability will be more important because we are moving into a world where computing is a pervasive element of how we live our lives,” Young said.

One of the biggest challenges in the second economy was elaborated on by Ashton Kutcher during his interview with Young in the later part of the keynote address.  According to Kutcher, the second economy “is a new country, a new world and we don’t know what the rules are yet. We are never going to be able to lock all the [virtual] doors, so we need to know the extent to which we can trust our neighbors.”

Emerging threats in the second economy are more sophisticated and constantly evolving.  Just a few years back, an organization’s focus was thwarting Advanced Persistent Threats which typically target a company’s data store of Payment and Personally Identifiable Information (PII).  The threat landscape has evolved and the actors are no longer just individuals and groups, but nation-states intent on covertly shaping sociopolitical landscapes and governance of other nations by participating in nefarious cyber activity.

Kutcher went on to point out the need for a “global doctrine for cybersecurity, something that sets out a basic handshake agreement and the sanctions for breaching the agreed rules. We need to write this doctrine so it represents the rules we want. If not, it will be written by idiots.”  He went on to suggest “You don’t want it to be written by people who don’t even understand how the internet works,” to the amusement of much of the audience.

You can find more information on the Second Economy and the book, here.

EMV: Stalled at the Pump

The convenience and fuel retailing industry is buzzing about the announcements from VISA, Mastercard, and American Express that they will delay most of the liability shift for automated fuel dispenser (AFD EMV chip card transactions by 3 years. Convenience store operators and gasoline retailers were preparing to meet the October 1, 2017 deadline, and were surprised by the announcement of the new October 1, 2020 date.

The retail industry faced the first EMV liability shift over one year ago for non-ATM and non-AFD transactions and many merchants still have not been able to deploy EMV to all of their stores. In particular, the convenience/petro and restaurant industries are lagging behind many other retailers due to their special processing requirements and technology suppliers. With that reality and listening to stakeholders about what it will take to implement EMV on the forecourt, the card brands have recognized the challenges with EMV AFD solution readiness.

Why Extend the Date?

Amongst these challenges and concerns about the 2017 date have been:

  • The readiness of Point of Sale (POS) and Payment software – most POS providers are still developing EMV versions
  • EMV AFD hardware – solution providers have suggested a multi-step implementation process; installing hardware ahead of software that will enable the acceptance of chip cards
  • Testing and certification efforts – the additional certifications required and the experiences learned from the EMV inside efforts have highlighted the need to focus additional investment on testing to ensure quality deliverables and a consistent consumer experience.
  • Finite pool of installers – qualified and certified technicians are needed to do the actual at-the-pump installations and some estimates point to 4.5 million man-hours to install retrofits and pumps.

The extension acknowledges these challenges while at the same time encourages retailers to move forward with the implementation of chip technologies to combat counterfeit fraud.  VISA has said it will keep an eye on AFD fraud trends, which currently are on the low end of the risk scale, but were not as clear to what will occur with merchants who experience higher fraud during the 3 year period.

Benefits to Stakeholders


For all the stakeholders involved, moving the date out to 2020 has benefits. The convenience/petro community can now prioritize and focus on EMV implementation inside the store – the shift in indoor liability is costing merchants real dollars in chargebacks that they previously were not seeing. Completing indoor EMV, including all of the testing and deployment processes, will also give retailers time to figure out how the more complex EMV ecosystem will impact support processes. The extension will also allow a more comprehensive investment strategy, including how to integrate outdoor EMV efforts with other payment, loyalty, and mobile initiatives.

With the new liability shift date, retailers should not put off starting EMV AFD planning. Beginning projects earlier will allow solutions to be fully tested ahead of the timeline, which should allow retailers to deploy at a more reasonable pace/funding schedule. Also, dispensers and terminals will need to be replaced over the next three years, and retailers should have a technology strategy that avoids the need to upgrade the dispenser twice.  If most retailers delay their outdoor implementation, the mad rush and massive resource conflicts just move further down the timeline.

Implementing chip card acceptance sooner rather than later will reduce counterfeit fraud at the pump even before the liability shift.  Based on experience from where EMV has been implemented around the world, predictions have been made that the US will see similar card fraud decreases. Delaying the start of EMV outdoor projects will open the door for criminals who will view unattended non-EMV AFDs as an easy target.

Don’t forget the fueling customer in all of this! If consumer behavior patterns in the US follow those in other markets that have already migrated to EMV, consumers will become more comfortable with chip cards as the wide-spread use of chip cards increases at other retail locations.  A security conscious segment of customers will emerge expecting a less risky way to pay. Most major card issuing banks have already issued chip cards and major grocers and retailers accept chip cards. Thus customers have already been trained and will increasingly expect chip card acceptance.

Opportunities Await

This decision by the card brands, providing an added 3-year window of time, raises both opportunities and new questions that convenience/petro retailers should consider as they refine plans for AFD EMV implementations including:

  • What will the POS providers approach be with software releases? Will they now look to include and deliver more feature/functions that have been deferred and their customers have been looking for?
  • What additional changes will occur during the next 3 years with dispenser technology (including the entire dispenser unit) and on the compliance/regulatory front that might require updates down the road – solution and service provider roadmaps need to be transparent and solid.
  • Fuel pumps will continue to age and will be further depreciated as 2020 approaches. The timing of full AFD replacements will be on retailer’s minds as they will be making decisions to upgrade or replace.
  • Will there be added financial incentives to begin purchases and implementation now versus later and what will happen to costs of equipment/software/services over the next few years?
  • What is the position of the major fuel brands regarding outdoor EMV over the next three years? If you upgrade dispensers early, will their systems be ready?
  • How will this decision impact other related security initiatives; e.g. Point to Point Encryption (P2PE)? Does this create an opportunity for P2PE to be implemented at the same time as AFD EMV?

This announcement gives retailers much needed breathing space, but they need to keep moving forward.  Retailers now have time to make better investment timing decisions, and develop a more comprehensive strategy for their outdoor dispenser upgrades. Just like an automobile stalled on the side of the road, pushing back the liability shift related to EMV implementation at the fueling dispenser is just a temporary state. There’s still an opportunity and several motivations to get a jump start and keep moving ahead.