PCI compliance deadlines continue to barrel toward the convenience store industry, yet many operators are still not up to speed on precisely what they need to do, or how to do it.
The Payment Card Data Security Standard (PCI DSS), developed by the PCI Security Standards Council and endorsed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., requires merchants and service providers that store, process or transmit customer payment card data to adhere to information security controls and processes that ensure data integrity.
The standard requires a lot of the underlying point-of-sale systems to be significantly upgraded or replaced starting last year. That means c-store operators need to find out whether their POS system supplier’s application has been developed to meet the new standard, and whether they have completed their validation testing. If not, they must upgrade their software and, potentially, hardware or have banks refuse to handle their credit card transactions.
Some operators, as expected, are forging ahead with compliance. Sheetz Inc., for instance, recently said it is upgrading 2,000 fuel dispensers at 270 locations with encrypting PIN pads that are PCI compliant and provide Triple Data Encryption Standard (TDES) encryption of the PINs entered by consumers during debit card transactions at the pumps. Another operator, Walters-Dimmick Petroleum Inc. of Marshall, Minn., is installing the same units at its 75 Shell-branded locations across southwestern Michigan, northern Indiana and northern Ohio.
Others, however, are not as current. For them, the PCI Compliance Security Standards Council recently released its prioritized approach framework, a tool that identifies the highest-risk data security targets to reduce risk to card-holder data as early as possible in their compliance journey. It groups the requirements of PCI DSS 1.2 into six key milestones for merchants to consider in their card data security strategy.
The tool was developed based on input from the PCI SSC Board of Advisors and insights from real world results of data compromises shared by the assessment community. In addition to helping businesses identify highest risk targets, it creates a common language around PCI DSS implementation efforts and enables merchants to demonstrate progress on compliance processes to key stakeholders—banks, acquirers, Qualified Security Assessors (QSA’s) and others. Operators can find and download it at www.pcisecuritystandards.org.
A Call to Action
“It’s hard for me today to believe there are folks out there who don’t know (what PCI compliance requires), but the reality is, there are,” says Paul Culver, manager of payment solutions for CHS Inc.’s payment solutions department. CHS, North America’s largest cooperative refiner and a wholesaler and reseller of refined fuels, markets energy products primarily under the Cenex brand and operates a network of approximately 1,600 Cenex convenience stores. “That’s the effort we’ve gone through with our brand, and I think it’s true with a lot of the other branded folks in the petroleum world. I really think the petroleum folks are farther ahead than some of the other industries, yet we talk to somebody every day who says, ‘Oh, when did this happen?’”
At that point, Culver said, “I think everybody just panics and realizes just how big this thing is, and it really is. But, if I had to boil it down, there are some simple things they should start by doing. Fill out your annual questionnaire. It drives you to ask a lot of questions and get answers. Make sure you’re on an approved, current version of point of sale. Make sure you secure any hard documents and have procedures around securing them. Don’t store your credit card data electronically. Have an information security policy. Train your people.”
As Culver and his team talk to their people, they hit on all those key points. “It’s a huge elephant, but let’s make it a little smaller elephant,” he said. “Let’s take it one piece at a time. Let’s not panic. And, so far, I think we’ve had good results.”
That said, Culver will be more comfortable when all of the point-of-sale devices have achieved certification. “Our concern—and the rest of the world’s—‘Is that going to happen soon enough to be able to get enough technicians to get these things upgraded or installed by July 1, 2010?’ I think they’re going to have a hard time hitting the date,” he said.
Cenex management advises operators not to count on elasticity of deadlines. “Get yourself prepared because, like anything, else if you wait till the last minute, pressure and cost will be higher,” Culver said.
George Odencrantz, vice president of Sinclair Oil Corp. in Salt Lake City, Utah, said he is finding a lot of operators having hard time with PCI compliance. “Most of them have focused on what are called the wider network issues; in other words, they’re trying to get their branded outlets to have PABP (Payment Application Best Practices) or PADSS (Payment Application Data Security Standard) systems, and they’re trying to make sure that the way they connect to the credit card networks is tied down. Of course, that represents a very large portion of the risk.”
Operators with equipment still storing Track 2 data, or who are connecting through “some unacceptable method” are courting a high risk, said Odencrantz, who is working with Fiscal Systems to achieve compliance. “Most of the majors have said, ‘We’re going to try and handle that risk first, because this is the one that’s easiest for us to do and probably is a great deal for the risk on a broad scale.’”
Beware of Sales Pitches
According to one operator who asked not to be identified there is “a lot of misinformation out there” concerning PCI compliance, something which has been confirmed by major tech suppliers in the convenience store industry. “There is misinformation in some cases—and it’s not deliberate—from salespeople trying to cause alarm on the operator side, concerning debit at the pumps, for example, and the deadline that’s approaching on that.”
Many operators are being given what he called “a sales pitch” in order to sell EPPs—encrypting PIN pads, which are high-security keyboards for outdoor use in items such as automatic teller machines, self-service petrol filling stations, vending machines or any other instance where safe and tamper-proof PIN-code verification is required.
“There is a lot of paranoia being developed without a full understanding of what the options are,” the operator said. “They’re being told they need the EPPs in order to take debits. They do, but only if they want to take PIN-based debit at the pump. Another option is to take a credit transaction at the pump and just pay a slightly different rate. I think, in some cases, the salesmen themselves don’t understand that, because all they’re doing is selling hardware. They don’t understand the entire package.”
Convenience store operators should start by turning to their card-services provider, but not rely totally on them. NACS is another good source, in particular, and other trade organizations can also be extremely helpful in discerning that vast amount of technical date involved.
Fellow c-store operators around the country grappling with understanding all that is involved in compliance “just need to open their eyes and pay attention to what the industry people are trying to alert them to,” Odencrantz said.
With so much information to absorb, a plethora of information is available on the Internet to help c-store operators answer some of the tough questions. Web sites with valuable information on PCI compliance include:
•PCI Knowledge Base www.knowpci.com
•PCI Self Assessment Questionnaire pcisecuritystandards.org
•Visa Risk Management usa.visa.com/merchants/risk_management/cisp.html
•American Express, Merchants americanexpress.com/merchant
Another good site to check is www.pcicomplianceguide.org. There, operators can find answers to questions on many c-store operators’ lips, such as: “Is PCI compliance a law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade associations to enact a federal law around data security and breach notification.”
“Personally, I think the first place to start is getting out on the PCI Security Standards Council Web site,” Culver said. “I think there is just a wealth of knowledge out there. But most importantly, if they haven’t already—and we’re aware there are some who haven’t—they need to walk through the questionnaire on the Web site. That really drives them into the information they need to start understanding about PCI.”
For more information on PCI Compliance, visit CSD’s Whitepapers.