The PetrolPlaza audio version is presented to you by UNITI expo 2021, the leading retail petroleum and car wash trade fair in Europe.

EdgePetrol: Petrol stations need to protect data

Retail fuel stations have large amounts of sensitive data passing through. That data is both personal and commercial. It is passed over the internet using wi-fi and fixed line connections and is stored not only on servers belonging to the station or its group, but also increasingly on third party servers in the cloud. As sensitive data is transmitted out of the station (and even technically within a station) it can be at risk from third party capture, otherwise known as hacking.



Last update: | Advertorial

Today stations are not only suppliers of fuel, but of convenience store items and a few motoring accessories and parts. With cash going out of fashion, speeded to death by the Covid-19 virus and the need for social distancing, electronic payment is becoming almost universal for both receipts and payments.

In addition, stations have increasing amounts of data about their business, which is often available but not used.

This poses different challenges to cash, which can be physically stolen, whereas modern data – which is electronically stored – can only be electronically misappropriated. This gives rise to 2 questions:

  1. What obligations does a station towards third party data?
  2. What obligations and protection should a station have towards its own data?

Dealing first with third party data, there are two categories of data; personal data (information about real people) and non-personal data. Personal data is the subject of the GDPR (General Data Protection Regulation) and requires the most careful handling as matter of law. This data includes employee records and customer information deriving from accounts and credit cards. It consists of anything from which an individual person can be identified. Once anonymised, such data is no longer personal data and is therefore not subject to the more stringent personal data rules. Anonymisation has to be conducted thoroughly; even a postcode and one other piece of information (e.g. he/she drives a blue Ford Fiesta) may be enough to identify an individual.

Business data is valuable for a different reason. Anyone with good data and a knowledge as to how to interpret it has a competitive advantage. A good selling item with a low margin may not be as profitable as a slower selling high margin product. Is it worth accepting fleet cards with their high margins, our should only credit cards be accepted? Does a station need to accept AMEX? All of these are valuable data questions. Having the answers depends on having the data, collecting it and analysing it.

But once collected, data can be stolen, and once in a form in which it can be or has been analysed it is even more valuable and in need of protection.

Credit cards and fuel cards carry their own risk. Stations as such do not normally need to collect credit card details, unless they operate certain loyalty schemes or e-store schemes. For most stations, credit card data is a pass through, so the card number itself is not enough to identify an individual, leaving the POS supplier as the entity that has to deal with security.  It is however important that the station has no means by which the CVV number can be downloaded, as that would be a data breach as well as a security risk. The risk is therefore tampering with the POS connection, and every so often a security audit should be taken to ensure that no unauthorised feeds are taking place from the POS equipment.

Business data needs a different form of protection. It is accrued and saved, often in the cloud. This data, which will include personal data relating at least to employees (payroll, tax, names and addresses etc.) needs to be protected.  Measures should be put into place to protect against viruses and to erect firewalls, so that unauthorised access becomes difficult.  PCs and laptops should be checked periodically for unauthorised access. Passwords should be changed regularly. Only employees who need access to sensitive areas should be given access to those areas.

Data should be encrypted, which also makes data theft unattractive. There are a number of commercial organizations who offer data encryption services.

Back up is also important. All station owners should have back up plans in place. With increasing volumes of data this is difficult, but security consultants can give advice.  If the primary storage is attacked the back-up storage can be activated. When the Twin Towers in New York were attacked in 2001, those companies with good back up lost only about one nano-second of data.

In summary, good data plans involve security at the corporate level, security at the personal level and good back up plans and a level of encryption. They should not be intrusive, whilst providing a reasonable level of protection. Thieves target weaknesses. If hacking is difficult with one target, the hacker will move onto the next target. Data relating to the fuel you put into your car and the goods you buy from the attached convenience store are no different in that respect to your house and your car.

 

By Laurence Cohen, General Counsel and Director Edge Petrol Limited

Related contents