The High Stakes of Compliance

Convenience store operators must stop thinking of Payment Card Industry (PCI) compliance as a nuisance to be handled when they have time. It is a serious, costly, complex fact of life—one that can potentially put an operator out of business and one that must be faced head on.

It was in September 2006 that the credit card companies formed the PCI Security Standards Council in the hopes of battling fraud. Today, all merchants who accept payment card transactions must comply with the PCI Data Security Standard or face sizable penalties.

Indeed, the passing grade for PCI is 100%, which means failing even one of the criteria will bring consequences. The standard is considered a floor—a basis for ongoing security measures. Worse, it’s an ever-shifting floor. Since Jan. 1, 2008, all newly manufactured debit card processing terminals must incorporate PIN entry devices that have been certified by PCI-approved laboratories.

By January 2009, newly installed fuel pumps that accept debit cards must feature PCI-compliant encrypted PIN pads. Manufacturers have to begin installing key pads capable of implementing a new Triple Data Encryption Standard (TDES), which requires that data be encoded several times through an encrypted PIN pad. By July 1, 2009, TDES will be required for all debit transactions and by June 30, 2010, all fuel dispensers will need to be able to encrypt PINs according to the TDES. The very next day, pumps that process debit transactions must be upgraded with encrypted PIN pads, and in-store POS terminals have to be certified as PCI-compliant. The devices must also process all debit transactions using TDES. Got all that?

The Bottom Line
“The bottom line is you must be compliant. It’s the law,” said Brian Roth, a payment cards manager with North American Bancard in New York. “If you aren’t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.”
It’s not so much the fines for not being compliant,” admitted Ed Freels, chief information officer for WilcoHess LLC in Winston-Salem, N.C., “as much as it is the banks basically refusing to do business with you. They don’t have to do business with you. In fact, I think that is one of the reasons currently that someone can breach his contract. If we lose our compliance, well, they are not going to let non-compliant credit card data go across their network, and neither is the bank. And if we were to have a breach, the level of fines is something like several hundred thousand dollars per incident. Let’s say you lose a thousand credit card numbers: that’s a company-ending move, potentially.”

WilcoHess operates about 340 convenience stores and travel plazas and more than 50 restaurants in the Mid-Atlantic.
Drew Mize, vice president of product management and marketing for The Pinnacle Corp., said there are several myths about PCI compliance that must be eradicated, especially the idea that, “my technology provider will take care of me.”

“Nothing could be further from the truth,” Mize said. “Your technology provider is an excellent source for initial education and getting pointed in the right direction to find information, but no single technology supplier should be thought of as the magic cure. Any technology provider that really has gone through a formal PCI audit for technology they are selling you should have at least one auditor they can recommend to you; if they can’t do this you should start asking the really hard questions. Remember, it’s you that pays the fines and penalties if a breach occurs, not your technology provider.”

A second myth is that POS compliance means company compliance. Granted, POS is a central component to payment transactions, Mize pointed out, “but there’s a whole slew of other devices that need to be considered. Dispenser card readers, ATMs, pin pads, routers, firewalls, wireless networks, that little handheld you do your store receiving with and the USB port on your back office PC, just to name a few.” Beyond those are “the pieces at the home office, databases, LANs, WANs, the box of credit card numbers that accounting has on their desk for local accounts, physical access to servers, process documentation, logging software, and the list goes on and on and on.”

Retailers of all sizes must be prepared, and some fear that message isn’t sinking in.

“It is probably better now than what it was back when we achieved our first compliance back in January 2006,” said Bruce Snyder, manager of IP retail systems for 395-store Kwik Trip based in La Crosse, Wis. “The whole thing is more well defined, and everybody has an understanding of it. We were feeling our way around in the dark on that first one. Not only us, but our auditor. We were all kind of fumbling around.”

Becoming compliant “is not a lot of pain,” Snyder added. “It is a lot of financial commitment.” That commitment, depending on each company’s size and starting point, “could be easily over $2 million.”

Operators are routinely required to install not only software programs but monitoring programs and utilities, and to provide the compliance reporting and do the ongoing monitoring. Kwik Trip went so far as to reconfigure its building, installing additional walls and an IDentiPASS system to track movement in and out of specific areas of the building.

“It is all a part of the requirement,” Snyder said. “It extends a lot further than most people know. They may think, ‘Oh, an IT project,’ but it is not just an IT project.”

Paul Culver, payment solutions manager for CHS Inc., which manages the Cenex brand, believes a lot of smaller, Level 4 retailers are not yet compliant. “And the biggest reason I would tell you is that they need to get what is now termed certified point-of-sale applications. Their POS devices need to be approved. Visa was doing it and that is now all moving over to the PCI Security Standards Council. There are still manufacturers that have just gained certification in this last year.”

Culver urged c-stores to upgrade to Payment Application Data Security Standards (PADSS) certified point-of-sale devices. “I think that is probably the biggest thing for c-store operators, because once they do that the data is encrypted. There is no longer any electronic data being stored. Many of them will still have their end-of-day journals from the old devices, which they need to secure, store and protect. But the big breaches are all electronic, so if we get them to upgrade the point-of-sale devices we have really eliminated a lot of their risk.”

One of the most important compliance aspects that operators often get wrong: ensure credit card traffic is being passed via private connection. “It should be happening now,” said S.L. Sweet, director of product management for Megapath, a managed IP communications services provider based in Costa Mesa, Calif. “SSL [Secure Socket Layer] is a popular protocol for encrypting traffic, but you also have to make sure that your back-end system cannot be exploited and accessed via the Internet. They also want to make sure they have security services that prevent their point-of-sale system from being compromised via hackers attacking.”

In addition to traffic encryption, operators must have routers locked down so they can’t be accessed, Sweet said, and ensure remote management has encrypted algorithms.

“At this point in time, (operators) really don’t understand what PCI is,” suggested George Odencrantz, vice president of Sinclair Oil Corp. in Salt Lake City, which has 2,600 company- and distributor-operated stations in 21 states. “For example, we deal with distr
ibutors and each distributor in turn has multiple dealers. The industry has been reluctant to try to explain everything to (operators) for fear that we’d end up with the liability as opposed to the ultimate merchant having the liability.”

This, Odencrantz explained, presents “a unique problem because we process cards for all of these merchants. You don’t really see that in other industries. If you go into the fast-food restaurant business, the franchisee is the one who has the banking relationship and not McDonald’s corporate, for instance.”

How to get c-store operators’ attention about the issue is a question with two parts, Odencrantz suggested. “One is getting the information out there, and two, making them understand their stake in game.”

Change the Method
“It’s bigger than a bear; it’s like a Godzilla,” Snyder said, “and the biggest thing is that the standards are constantly changing.” He believes the industry needs to look at the method of presentation.

“We have this silly little mag stripe that is so vulnerable and penetrable and we are building an infrastructure around it to protect the information, and a lot of people are making good money on that,” Snyder said. “With the new rulings on EPPs, if I want to continue to do debit we have to replace all of our dispenser doors and PIN pads at a huge expense to us to remain compliant. What we have to do is put in an encrypted PIN pad at the dispenser if we want to continue to do debit there.”

But the new door and PIN pad will cost $1,500 per dispenser. “Start doing the math on that and now you have to make a decision: can we afford to do this? And what happens if we don’t?” Snyder said. “We need to change that method of presenting ourselves for a credit transaction and make it more secure so that we don’t have to build all of this stuff around it to try to protect a very flawed method.”

css.php