The CISO view of fraud risk across the retail payment ecosystem
In this Help Net Security interview, Paul Suarez, VP and CISO at Casey’s, explains how his team manages patching and upgrades for fuel payment systems with long hardware lifecycles. He also discusses risks tied to QR code payments and outlines why loyalty abuse can be hard to spot. Suarez shares how Casey’s monitors payment systems across stores, corporate networks, and third-party processors.
How do you manage patching and modernization for fuel-related payment infrastructure that may have longer hardware lifecycles than typical retail technology?
We don’t assume that fuel payment infrastructure should be managed differently simply because it may have longer hardware lifecycles. Our approach to patching and modernizing fuel-related payment systems mirrors the discipline we apply across our retail technology environment.
We combine strong technical controls with business and operational controls to manage risk holistically and maintain a consistent security posture. Just as importantly, we actively engage leaders across the enterprise through regular discussions focused on risk, lifecycle planning, and emerging threats specific to fuel payment infrastructure, ensuring shared ownership and informed decision-making as technologies and threats evolve.
Do you have concerns about QR-code based payment methods becoming a new fraud channel in convenience retail?
Any time a new payment method is introduced, it has the potential to attract new fraud tactics, and QR code based payments are no exception. Our focus is on ensuring that all payment channels are protected by strong, consistent security protocols. As fraud techniques evolve alongside new technologies, we continuously assess emerging risks and adapt our controls accordingly.
This includes monitoring for suspicious activity, strengthening authentication and validation processes, and educating teams on new threat patterns. Our goal is to enable convenient, modern and fast payment experiences while maintaining the trust and protection our guests expect.
What’s the most challenging fraud scenario for your teams to detect: synthetic identity, account takeover, loyalty abuse, or refund fraud?
Loyalty abuse represents an important area of focus because the rewards points held within our guests’ accounts have real value and are therefore an attractive target for fraudsters. Like many loyalty programs, ours is designed to encourage frequent and repeated engagement, which creates a high volume of legitimate activity that must be carefully distinguished from potential misuse.
This challenge is further shaped by the diversity of our guest base. Transaction patterns vary significantly across different customer segments, making it difficult to establish a single baseline for what constitutes “normal” behavior. As a result, loyalty activity must be evaluated in context, considering factors such as frequency and redemption patterns.
Additionally, loyal guests often redeem points regularly and across multiple channels, further increasing the need for more refined approaches. These factors reinforce the importance of using effective methods to identify potential abuse while continuing to balance fraud prevention with a seamless guest experience.
What does monitoring look like for payment systems that span stores, corporate networks, and third-party payment rails?
Monitoring payment systems that span store environments, corporate networks, and third-party payment rails requires a coordinated, cross-functional approach.
We use layered monitoring controls that provide real time visibility into system health, transaction processing, and overall availability, enabling teams to quickly identify and respond when systems are not operating as expected. In parallel, we apply business controls to reconcile transactional activity across our retail environment and external processors.
We also review the control environments of our third-party partners through Service Organization Control reports, ensuring we understand how controls are designed and operating across the full payment ecosystem. Payment systems are the life blood of convenience retailers, our monitoring is real time and ubiquitous.