Information Security in Charging Operations — What Operators Must Get Right

April 15, 2026·Raquun IoT & Software

Running a charging network is no longer just an energy business; it is also a data business. Every charging session involves the flow of driver, vehicle, payment, regulatory and device data. When that chain breaks — a data breach, a payment fraud, a regulatory reporting error — the consequences land on the operator's lap as both reputation and money lost.

This article lays out a practical framework for information security in charging operations: which data is at risk, what the attack vectors are, and which principles an operator should put in place.

Which Data Is at Risk?

A charging operation processes several distinct data sets every day:

Driver data. Name, phone, email, address, KVKK consent, RFID card information, vehicle data. The data that has to be managed with the highest sensitivity under KVKK.

Payment data. Credit card details, pre-authorizations, invoice records, refund transactions. Special storage and transmission rules apply under PCI-DSS and bank regulation.

Device data. Telemetry from field charging devices — connector states, energy measurements, error codes, firmware versions. The area with the highest manipulation risk.

Operator data. Tariffs, revenue reports, customer segments, campaign rules, partner contracts. Critical from a competitive standpoint.

Regulatory data. EPDK notifications, GIB-ESU invoices, IYS consents. Loss or misreporting carries legal consequences.

Each data set has its own security requirements. A single policy is not enough.

Attack Vectors

The threat model for a charging operation has four main entry points:

1. The device side. A field charging device can be targeted by a malicious actor either physically or over the network. Fake session initiation, free charging, hijacked device control — all are possible scenarios.

2. The payment side. Capturing card details, billing for fake sessions, refund fraud. Direct financial loss.

3. The API and integration side. An operator's outward-facing services (mobile app, OCPP device communication, OCPI roaming, invoice provider integrations) become weak points when misconfigured.

4. The insider threat. An employee with overly broad permissions, a partner looking in the wrong place, a stale user account. A meaningful share of attacks are internal, not external.

A good security architecture accounts for all four at once.

Five Foundational Principles

The practical framework for security in charging operations rests on five principles.

1. Per-operator isolation

In an infrastructure serving multiple operators, the data of each licensed operator must be strictly separated. Under no scenario should one operator's driver be able to see another operator's data. This isn't just a technical measure; it is a commercial trust prerequisite.

2. Role-based access control (RBAC)

Not everyone in an operations team should be able to see everything. SystemAdmin, operator, customer roles must be clearly defined; what each role can access must be managed through configuration. "Temporary" permissions should not become permanent.

3. Encryption of data flow

From device to platform, from platform to partner, from platform to bank gateway — every connection must be protected with encryption in transit. Stored sensitive data (card details, personal data) must be managed with encryption at rest.

4. Audit trail

Every change must be recorded: who, when, on which object, what action. This is critical not just for security investigations, but also for KVKK compliance, dispute resolution and operational debugging. Audit trail is a "must," not a "could."

5. Incident response plan

When a data breach, device manipulation or API attack is detected, what happens next must be defined ahead of time. Which systems get isolated, which authorities get notified, when and how data subjects are informed under KVKK — that plan needs to be ready on the desk. Drawing up the plan during the incident is the worst-case scenario.

When you operate as a charging operator in Türkiye, you fall under the KVKK framework. Driver consent, handling of data subject rights (deletion, portability, correction requests), data breach notification obligations — all are part of daily operations.

In addition:

  • Under EPDK: accurate and timely reporting of connector, energy and session data.
  • Under GIB-ESU: an auditable digital invoice chain.
  • Under IYS: a queryable record of marketing communication consents.

A common principle underlies all of these: auditability.

Practical Advice for Operators

Four pieces of practical advice we've learned in the field:

1. Question your software provider's security architecture. "How is data isolated?", "Which logs are kept?", "What's your notification flow in a breach?". If the answers aren't crisp, that's a flag.

2. Invest in personnel access hygiene. When a departing employee's account gets closed, whether temporary permissions are actually temporary, whether critical actions require two-person approval — these are the details that turn paper security into real security.

3. Apply data minimization. Don't collect personal data you don't need. Don't store what you collect. Don't share what you store. That is the essence of KVKK.

4. Run regular security drills. "If a data breach happened tomorrow, what would each person do?" — the answer should be experience, not just a document. Even a once-a-year drill makes a major difference.

Echargo's Approach

Echargo built its multi-operator architecture around information security principles. Each licensed operator's data is isolated; role-based access is baked into the core; audit trails are kept for every change; KVKK requirements run as a built-in flow.

For our operators, information security isn't "an extra project" — it is a property gained when the platform arrives. That said, security is never a finished job — it is an area that requires continuous monitoring, updating and testing.

ISO/IEC 27001 — A Certified Framework

The company behind Echargo, Raquun IoT & Software Inc., operates its information security management system in line with the international ISO/IEC 27001 standard. This means the principles described above don't live as marketing copy — they run as an audited and certified management system.

Core processes that run under ISO 27001:

  • Asset inventory and risk assessment — what data lives where, and which controls are applied against which threats, are documented.
  • Access management — granting, revoking and periodic review processes are written.
  • Incident management — what happens during a security incident, who is notified and how records are kept is predefined.
  • Supplier security — partners and integration providers are evaluated with the same discipline.
  • Continuous improvement — internal audits and management reviews keep the system alive.

You can review our detailed information security policy at raquun.com/bilgi-guvenligi-politikasi.

This framework gives operators choosing Echargo a management discipline they can confidently reference in their own audits.

Charging operation = data operation. The operator who protects the data fulfills both the legal obligation and locks in the trust of its drivers. Information security isn't an add-on; it is a core component of operating a charging network.

Put this article to work.

Let us show you how to run the flows described above on your own charging network.

Request Demo

Related Articles

The Voice of Charging Operations: Echargo Solution Center

The Voice of Charging Operations: Echargo Solution Center

Plug & Charge: The Driver Plugs In, the Invoice Writes Itself

Plug & Charge: The Driver Plugs In, the Invoice Writes Itself

Seamless Charging Across Networks: A Practical Roaming Guide

Seamless Charging Across Networks: A Practical Roaming Guide