Ensuring Business And Payments Security

Aug. 5, 2019

Stolen data, lawsuits and theft are among the many threats to operators in the automatic retail industry. While hackers and legal issues can endanger a company, there are services that operators can use to ensure success. 

Ensuring Security in Payment Processing

The security involved in processing payments at vending machines is a multifaceted operation, but operators can partner with companies that specialize in this security. 

USA Technologies (USAT) is a cashless payments and software services company that provides end-to-end technology solutions for the self-service retail market. Paul Stadler, vice president of product management at USAT, said that while most vending machines do not currently have  EMV® -compliant chip readers on payment terminals, he anticipates change is coming. 

Chip readers that have EMV chip technology initially had large retailers and sellers of big-ticket items balking at the cost of replacing terminals, Stadler said. Card issuers also found it more expensive to create the cards. While retail ended up opting for compliance with EMV standards, the unattended retail industry has not made it a priority yet, he added. Most of the retailers USAT works with have small-ticket items that cost consumers, on average, less than $10, such as beverages or car wash packages, he explained.

“It turns out that when you’re doing small-ticket, you’re usually less susceptible as a target of fraudsters,” Stadler said. “You’re still very at risk from hacking attacks where people try to steal payment information — which is why security matters — but you’re probably not the target of a fraudster. What they’re going after is high-value targets — things like computers, cameras, electronics, jewelry, fashion items. And so the EMV portion of it — we’re coming later than retail did. And that’s fine, because it hasn’t been a huge driver in this industry. But we think it will be moving forward, and that’s why [USAT is] entering that game now.” 

As the company foresees this trend, it is developing a product that will pair with the technology involved in EMV-compliant readers, Stadler said. This technology, relying on what is often called the “chip,” is a small computer on the credit card and the associated hardware and software. There is also a wireless, or NFC, version that does not require inserting the card physically. 

Ensuring Additional Protection

Another layer of protection is the sealing of the card reader. Hackers would need to physically modify the card reader to be able to hack it, Stadler said. While EMV compliance does not prevent card reader damage, it makes it more difficult for people to commit counterfeit-based fraud by copying cards. He said that fraudsters who would take the time to find a way to duplicate cards would not do so to make the low-cost purchases offered at vending machines.

“If they’re going to stick their neck out and commit a crime, they usually want the payback to be a little bit bigger than a bag of chips,” he said. “That said, there’s a shift going now to EMV. And I think that the larger driver for us in our industry is not necessarily a security aspect, but it’s actually a customer expectation.”

Stadler said he predicts that in the future, people will start feeling uncomfortable about not having a chip on a credit card, or not being able to use a chip in a sales transaction, as this effect has occurred in other countries. 

Connectivity and point-to-point encryption 

USAT works with wireless carriers to extend connectivity. Most vending/micro market operators’ locations don’t have a physical network available, yet a network connection is required to process payments, Stadler said. 

USAT also works in point-to- point encryption, using a proprietary telemetry solution that securely transmits information from the payment terminal or reader into the USAT platform via a private network. This encryption prevents “eavesdropping attacks” in which hackers could see card numbers used at the machine if they had somehow gained access to the USAT network. Both the transmission over the wire from the card reader to the platform and the area where the platform stores data are secured. This wireless spectrum area is not accessible to anyone else as it is set up through a series of arrangements with wireless carriers. The platform is protected by another set of security procedures that are required by network rules from entities such as Visa and Mastercard to have this security to ensure integrity of the payment system, he added. 

“In the platform, what we’ve done is create a highly secure payments platform,” he said. “We apply the highest standards of managing a secure infrastructure to ensure that we are more than PCI compliant.”

USAT decrypts incoming transactions, stores the card number, encrypts it, and uses cryptographic techniques to ensure that the data wouldn’t make sense to anyone who hacked it. A token (a reference to the card information) is created instead of retaining the card information.

Annually, companies that take card payments through the network are required to complete a questionnaire to ensure they are following security system requirements.

“All of this stuff distracts [automatic retail] operators from their core business,” he said. “That’s payments territory. We basically alleviate all that from them.” 

Stadler added, however, that operators are also bound to treating payment information in compliance with payment card industry (PCI) regulations. USAT develops contractual agreements with vending and micro market operators to fulfill these, in a chain that involves banks, consumers, processors, networks, merchants and payment facilitators, such as USAT. The regulations from Visa and Mastercard are extensive, he said.

“When we sign up an operator, technically, they’re bound to all of that too, but we do all of the heavy lifting for them,” Stadler said. “That’s kind of the mechanism by which the payments networks — Visa, Mastercard, etc. — keep all of the bad actors out of the system.”

Taking Security Seriously

Nayax LLC also provides security solutions to operators. 

“We take security, of course, incredibly seriously. It’s really the cornerstone of our entire payment platform,” Nayax LLC CEO Carly Furman said.

Nayax’s devices are EMV-certified and –enabled in North America and the rest of the world. When a credit or debit payment card is used at a Nayax terminal, the chip creates a dynamic, unique transaction ID for each use of the card. Nayax then encrypts the transactional data and sends that data to Nayax’s PCI- certified servers. 

“When operators are assessing with whom they should be investing their money and making capital purchases from, they should ensure the company they are working with offers a technology platform and a cashless solution that is PCI-certified, as well as EMV-certified and –enabled readers,” she said.

Furman added that if an operator were to choose a device that is not EMV-certified and –enabled terminals, they are only offering end consumers the option to pay via the magnetic swipe on the card. 

“The information in the mag swiper is static,” she said. “So each time, it’s the same information that the credit card is passing through the terminal when the transaction is made, so it makes it quite easy for that information to be hacked in comparison to using the chip in the credit card, which creates a dynamic and new transaction ID each time the credit card is presented.”

A hacker would be able to make a duplicate payment card by using a sniffer on an unattended magnetic swipe machine. This sniffer could steal the card information as customers use the uncertified terminals. 

“You never want to say anything is 100% fraud-proof, but it is significantly more difficult to lift credit card information from a chip because the chip has computing power,” Furman said. “Each time the credit card’s chip is used, it’s using different dynamic transaction information. That action makes it very difficult to hack.” 

Nayax develops and manufactures its hardware and software in house and maintains its own server security.

“Security is at the forefront of what the Nayax solution offers our operators — all of our in-house knowledge, experience and resources lets us stay ahead of the curve,” Furman explained. “That’s the central component of how our company works, so that our operators can concentrate on running their businesses."

Managing risk

Operators face many risks that could impact their business, such as discrimination lawsuits or workplace hazards. A single misstep might trigger a lawsuit, so it’s essential for operators to tackle risk assessment. Heather Bailey, a partner at SmithAmundsen LLC who concentrates on employment and labor counseling and litigation, provided insight on how companies can insure themselves and handle claims. 

Bailey said the most common causes of successful claims against automatic retail businesses include companies being underinsured, not having proper written policies and practices in place, and improper management training. Companies can prevent these issues through risk assessment, including ensuring they have good policies and that employees have access to the rules. 

“Having proper written policies and practices in place is key,” Bailey said. “These policies are only as good as the managers who are properly trained on them.  Management, if not properly trained, can cause more harm than good.”

She added that investing time into providing management and employees training is paramount as it will help reduce claims and ensure that when claims do occur, they are handled correctly. Protocols should also be in place for reporting accidents.

“Managers should be adequately trained on legal issues that occur in the field like workers’ compensation injuries, vehicle accidents, drug testing, reasonable suspicion training and related employment areas,” Bailey said. 

Obtaining proper insurance

Another critical step for operators is ensuring that their company is properly insured. Liability insurance, also known as “third-party insurance,” provides protection against claims that come after injuries and damage to people or property when the insured business is deemed to be at fault. For example, it could cover both legal costs and any payouts required after an employee is injured on the job. There are several forms of liability insurance for business owners to consider including commercial general liability insurance and personal liability insurance — also known as an umbrella insurance policy — as well as Employment Practices Liability Insurance (EPLI).

The company should not try to handle claims without legal counsel, Bailey said. Company leadership believing that liability claims will never impact their company and that they can handle claims personally without counsel are two common misconceptions businesses have, she said. 

Bailey said companies either tend to give inaccurate or too much information to defeat claims. It’s important to for business owners to select a qualified insurance company who will work with them to perform a proper investigation so that the company can respond accordingly.

“They should vet a few different insurance brokers, even seeking referrals from trusted advisors,” Bailey said. “Moreover, they should vet a number of employment attorneys in their industry, such as vending, who specifically work with companies to ensure best representation.”

Securing the present for the future

Being vigilant about the many ways that your security, and your customers’ security, may be threatened is a good first step to identifying solutions that will work for you and your business. Being properly insured and creating strong company policies will help protect you and your employees.