In an exclusive interview with Help Net Security, Paul Suarez, Vice President and Chief Information Security Officer (CISO) at Casey’s, outlined the strategies employed to manage fraud risks within the retail payment landscape. With a focus on fuel payment systems characterized by long hardware lifecycles, Suarez emphasized the importance of continuous monitoring and adaptation to emerging threats.
Suarez noted that Casey’s does not differentiate fuel payment infrastructure management from other payment systems, asserting that their approach to patching and modernizing mirrors the discipline used across their entire retail technology environment. “We combine strong technical controls with business and operational controls to manage risk holistically and maintain a consistent security posture,” he stated. This integrated strategy allows Casey’s to effectively engage with leaders throughout the organization, driving discussions on risk management, lifecycle planning, and the evolving threats that specifically challenge fuel payment systems.
Addressing Evolving Fraud Tactics
The introduction of new payment methods invariably attracts innovative fraud tactics, with QR code payments being a notable example. Suarez explained that the focus at Casey’s is on safeguarding all payment channels with robust and consistent security protocols. As fraud techniques evolve in tandem with technological advancements, the company continually assesses these risks and adapts their controls. This proactive stance includes monitoring for suspicious activity, enhancing authentication and validation processes, and providing education on emerging threat patterns.
“Our goal is to enable convenient, modern, and fast payment experiences while maintaining the trust and protection our guests expect,” Suarez added.
Another area of concern for Casey’s is loyalty abuse, which poses unique challenges. The rewards points within customer accounts hold considerable value and are appealing targets for fraudsters. Casey’s loyalty program is designed to foster customer engagement, resulting in substantial legitimate activity that must be carefully monitored to distinguish from potential misuse.
Suarez highlighted that transaction patterns can differ significantly across various customer segments, complicating the establishment of a definitive baseline for “normal” behavior. Consequently, loyalty activity evaluation requires contextual understanding, taking into account factors such as frequency and redemption patterns. “Loyal guests often redeem points regularly and across multiple channels, which increases the need for refined approaches to detect potential abuse,” he explained.
Holistic Monitoring Across Payment Systems
Monitoring payment systems that encompass store environments, corporate networks, and third-party payment processors necessitates a coordinated, cross-functional approach. Casey’s employs layered monitoring controls that provide real-time visibility into system health, transaction processing, and overall availability. This comprehensive monitoring enables teams to respond swiftly when systems deviate from expected performance.
In addition to real-time monitoring, Casey’s implements business controls to reconcile transactional activity across its retail environment and external processors. The company also rigorously reviews the control environments of third-party partners through Service Organization Control reports, ensuring a thorough understanding of how controls are operationalized within the broader payment ecosystem.
Suarez concluded by underscoring the critical role payment systems play in the convenience retail sector. “Our monitoring is real-time and ubiquitous,” he stated, reinforcing the commitment to safeguarding the integrity of payment processes while delivering a seamless guest experience.