By Keith Reid
Hughes Network Systems, LLC developed its reputation in the convenience retail industry as a leader in broadband satellite technology. Before the wide availability of reliable terrestrial high-bandwidth internet connectivity, VSAT (very small aperture terminal) was the only game in town for those that needed such capabilities. And it can still serve that purpose in remote areas lacking other forms of broadband access.
However, Hughes has adapted along with the industry as retailers embraced alternatives like DSL and cable. The company’s HughesON™ managed network services provide complete connectivity solutions. Payment card industry (PCI) requirements have further resulted in Verifone and Gilbarco needing to address security issues relative to point of sale (POS) help desk connectivity. Both have chosen similar routes that involve third-party service providers, with Hughes being certified as an alternative solution for both platforms.
FMN spoke with Dan Rasmussen, Hughes’ Senior Vice President of North America Sales and Marketing about general connectivity issues and data security issues for convenience retailers, and the Verifone and Gilbarco developments.
FMN: How universal is broadband connectivity today?
Rasmussen: Inside of any of the large networks that we’ve deployed, we’ve found anywhere from a minimum 20% to sometimes as high as 40% can’t get above 10 megabits per second. It’s just not physically available in certain geographic locations.
FMN: How much bandwidth do today’s retail sites require?
Rasmussen: Just supporting credit transactions is no longer satisfactory. One of the interesting trends that we’re seeing now is sites wanting 50 megs (megabits) down and 5 megs up, which is a substantial amount of input bandwidth. I think it’s driven by the fact that while pumping gas on the forecourt is still important, the successful operators are focused on getting people inside and building and developing relationships, marketing and merchandising, and your network must be able to facilitate that complete customer focus.
FMN: Do they really need that much bandwidth?
Rasmussen: It gets interesting. An operator might look at the expected usage and say I’m going to process credit and pull-down video occasionally, but it’s stored and not streaming. Guest WIFI might eat up 30 or 40 megs of it. Surely, that is enough.
But what people don’t recognize is there might be 20 or 35 computing devices at the site, and they occasionally do things like pull patch updates. So, suddenly you get three Windows devices trying to suck down a 500-meg file while you’re trying to process payment. You can find yourself throttling a network and delaying payment processing.
We focus on quality of service because you can run even high-speed networks into congestion. It won’t be for long, but you still run the risk. To address that we focus very hard on quality of service configurations for their sites. What we say is, let’s assume for the sake of argument that you will always deal with congestion. Instead of overpaying and putting in 200 meg circuits, put in quality of service. Whether you’re congested for two seconds or two minutes, the payment processing and interactive applications are handled.
FMN: How significant is data theft today?
Rasmussen: It’s significant, but I think it has gotten downplayed recently for several reasons. The brands aren’t as focused on it, and then we have this bifurcation where the small locations, which are the majority, aren’t aware of it. There’s not been a real major breach recently outside of your typical card skimmers and other physical security issues.
That said, as EMV has made it into the larger retail population and attacking big box retail is becoming much more difficult, retail petroleum is one of the least-guarded frontiers until EMV becomes fully deployed in this industry. And the bad guys are going to chase the easiest path to money. They really don’t want to be skimming data from one gas station. They want to use that as a point of entry to where data is consolidated.
FMN: How do the data security needs vary with the different scale of operators?
Rasmussen: The simpler locations are relying on connectivity for basic retail petroleum operations: tank level monitoring, credit card payment processing and maybe a little bit of back office for labor management. What we see happening from a security perspective is a little bit of basic avoidance. They are very cost conscious. Even if they are broadband-enabled, they’re not using the network much beyond the old capabilities of the dial up network. So, whether it’s Hughes or another vendor, the marketer brings in the broadband and we put the security on top and they may only be paying $60 to $120 for connectivity and security. They’re saying I don’t think I’m going to be breached and I’m just not going to worry much about it.
FMN: What about the larger players?
Rasmussen: In the last 18 months I have seen them moving aggressively to full, robust security models. These would often be the “mid majors”—the Circle K’s and such—that would have hundreds to thousands of sites. A lot of them have a long-term perspective.
The larger people want a managed switch infrastructure. They want ports enabled or disabled. They want the logging and more proactive identification. For example, a station had 15 devices attached yesterday and today, device 16 showed up and it appears to be a Windows machine and a notification is sent. These guys are now paying maybe $275 to $350 a month for a much higher class of service. They’re wanting proactivity and security in a full managed service environment much closer to what some of the bigger box retailers have been doing. They are much more aware of the security ramifications of a breach.
FMN: How does this impact branded retailers, who may be smaller operators but part of a larger network?
Rasmussen: The argument we’ve had with the brands is if “Dan’s Petroleum” gets breached, it’s not that exciting. But if the company is flying the BP flag, for example, the public associates the breach with the brand. The brands went through a phase with PCI where, from a legality perspective, they might have felt that if they completely shoved responsibility down to the marketer, they would have no responsibility—which from a strict interpretation of the rules is probably accurate. However, in recent times the (public) marketing side of some of the brands have awakened and decided why don’t we help those guys to be in the best possible position so that we’re not facing backlash from this at all.
FMN: Hughes is listed as a certified VeriFone managed network services provider, and you play a similar role as an alternative with Gilbarco. First, what is an MSP?
Rasmussen: MSP is the acronym for managed service provider. In industry terms it’s much broader—transport, security, WIFI, VOIP, etc. For both VeriFone and Gilbarco, it really just applies to providing connectivity for the POS help desk support.
FMN: What is driving these developments?
Rasmussen: The first development that kicked things off was VeriFone’s decision to vacate its EZR router. A retail petroleum site, say one branded BP, would buy a VeriFone POS system. When the VeriFone POS system arrives, it has its computing devices and it used to come with the EZR router.
If the location had a problem, that EZR was maintaining a tunnel from the site back to the VeriFone help desk so they could troubleshoot the POS system. The sole function of that device was to provide connectivity for help desk support. However, that means you have a tunnel that is always established, which presented a bit of a security risk. If you had Hughes, for example, as a managed network provider with a router supporting the wide area network, we would be able to security-scan any of the devices connected to us, but the EZR router would prevent any scans going down into the POS systems and such. From a security perspective that means you could not technically finish your PCI compliance, and each of the marketers had to scan behind the EZR on their own. The technical wherewithal for that could be lacking.
This created a bit of a battle between the brands and VeriFone about how to do this. Not to mention, from the brand perspective, the solution had an extra router that people were paying for. VeriFone’s response was to stop using the EZR and rely on the managed network provider’s routers. What happens now is if you need help desk support, VeriFone reaches out through a tunnel to Hughes, and then from Hughes through a tunnel down to the site. And you can now finish your PCI compliance scans.
On the plus side, once you have that as the foundation, the MSPs can then offer additional higher-level security if your business warrants it and you’re interested.
FMN: This seems to be PCI driven, but we also have EMV coming into play. Do they relate? The HughesON solutions are also EMV-compatible.
Rasmussen: They are parallel and tangential. There is the need for the EMV infrastructure to be in place and the understanding that the cost is very high. Not only do the dispensers have to go in place, but now you’re dealing with effectively a bunch of IP-connected devices that need to go through a switching infrastructure and get tied into the POS.
FMN: Are retailers addressing this in a unified manner?
Rasmussen: That ideally would be handled at the same time the MSP switchover is taking place, but I think a large number are doing it as two separate projects. From a Hughes perspective as well as the other MSPs. We’re saying, look, if you’re already going to pay for a site visit, let’s go ahead and put the switch infrastructure in place now so that when these pumps show up, you are ready and you can write down the infrastructure for it. I see this approach being valued in the mid majors and above, but smaller operators aren’t there yet because they just see it as an additional cost to be handled later. At the end of the day, none of this helps them sell on extra gallon of gas or an extra Twinkie, and for a small businessperson, that money’s coming out of their bank account.