Many retailers are breathing a sigh of relief in regard to PCI, after this summer’s deadline for software compliance was relaxed after a request by the major oil companies, giving scrambling retailers a little more time to comply. But retailers be warned: chains that face a breach could still get hit with huge fines.
“Some operational problems developed as retailers hurried to install the latest software that met the Triple Data Encryption Standard (TDES), at the last minute,” said Trinette Huber, manager of information privacy and security for Sinclair Oil Corp.’s PCI program for the company’s 2,600 dealer-operated sites across 21 states.
Due to the crunch, glitches included software and technicians not being available because of last minute demand. While pushing the deadline was necessary, Huber noted it also takes the next step—securing the network—off the table until the current step of upgrading the software is completed.
The new deadline for software appears to vary—as each of the oil majors was required to request a new deadline if needed. “Some of them are announcing different deadlines to their distributors, but generally speaking the new deadline is around the end of the year, although I have seen some oil companies announcing the end of March 2011,” Huber said.
In addition to card readers and networks, there was some confusion on pin pads, both in-store and at the pump. “Operators thought they would have to do upgrades of the pin pads, and they don’t. Visa was very clear that we do not need to retrofit it. You only need triple DES going forward. All our locations are single DES Derived Unique Key Per Transaction (DUKPT), and are allowed to be so,” Huber said.
While Visa reportedly does not plan to institute fines to companies at least using single Des DUKPT, companies could still find themselves put out of business if they are breached due to customer boycotts and hefty audit fees. A forensic audit is mandatory after a suspected breach and can cost a small merchant in a three or four tier environment $10,000–$20,000, and could hit $100,000 or more for larger merchants, according to First Data Corp.
“It’s a big concern because if you have a breach at one of your chains and if your average consumer on the road sees that, they’re going to think, ‘I’m not going to take my credit card over there where my information could possibly get stolen.’ So that would take business away,” said Scott Matherly, vice president of IT at Rogers Petroleum in Morristown, Tenn. “I’ve also heard that if you don’t become PCI compliant, you take all the responsibility in a breach. At mom-and-pop stores, if they have one customer experience a case of identity theft that comes from their location that could put them out of business very easily.”
The PCI Journey
Phase one for Rogers Petroleum on the PCI journey was getting its 19 company-owned Zoomerz c-stores under compliance. Phase two now involves helping dealers become compliant and phase three will be maintaining compliance moving forward.
“For the most part we were ahead of the curve because we already met step one requirements at our company-owned stores—we had the firewall in place and a wide area network built into our back office system and each store has a VPN tunnel back into the corporate tunnel, so when we did that we put in firewalls and routers in each location and secured it all a while back, so before the rules for PCI compliance came out we were already doing that,” Matherly said.
Rogers Petroleum installed new Gilbarco Passport systems at the beginning of the year. “All the new Passport systems are TDES compliant now, so all credit card data is encrypted and all information transmitted over the public network is encrypted,” said Matherly.
As for the forecourt, Matherly noted he’s waiting to see what is definitely required when it comes to the pumps themselves. He hopes Visa will alleviate some of the requirements for the CRINDs. “We spent quite a bit of money just doing the software aspect and to turn around and say, ‘You need to do the pumps as well and spend quite a bit of money with that too,’ well we’re just not ready to do that right now,” he said.
Matherly would also like the credit card companies to give retailers a hand with meeting the mandates by offering rebates or cents-off processing fees to help offset the increased costs. “We’re basically doing this for their benefit, yet, they’re saying we need TDES because we need secure communications for our customer base,” he said. “They put the burden on the jobbers and the mom-and-pop storeowners who can’t afford it with the understanding that if we don’t they won’t do business with us.”
The dangers of a breach are fresh in the minds of many retailers after reports this summer that thieves attached skimmers to gas pumps at more than 30 service stations of various brands in and around Denver.
“Skimming is a big worry, mainly because we’re seeing more and more of it. Visa is saying protection needs to be put in place, but there is no mandate,” Huber noted.
Retailers can be skimmed even if they update their encrypted pin pads. If thieves can’t get to the numbers, they’ll make fraudulent cards. Retailers are concerned because they’re not sure what such a breach would cost them and there is not a lot of discussion about it, Huber noted. Visa does not consider skimming a breach in the sense that it’s not PCI related because it’s a skimmer problem.
Huber recommends that to prevent skimming at the store level, operators should change their locks and add some physical changes, such as better lighting and video cameras to deter would-be thieves—all in all, an inexpensive fix.
While the first step for PCI—updating software—is still a challenge for many smaller operators, they need to begin the process as soon as possible by getting accurate compliance information.
“There is still a lot of confusion among retailers that as soon as they upgrade their software then they’re PCI compliant, and I’m afraid that gets perpetuated by the people selling them the software,” Huber said. The second step is securing the network. “The more complex your store environment is, and the more you start to add other systems such as IP-based systems, the Internet, etc.,—then the more you need to have network security,” she added.
“I think for convenience stores that didn’t have a wide-area network already, it was a lot to tackle at once,” Matherly said. Even though Rogers Petroleum had a head start in installing the software, it was a lot to learn in a short period of time because the mandates kept changing and mixed messages were being passed around.
“One month it was that it was only going to involve the POS system, and then the next thing we knew it was the CRINDs as well. It’s constantly changing,” Matherly said. “We’re constantly updating every CRIND we have, and that’s costly. We have an average of six pumps per store with two CRINDs per pump, so 12 total—and they want anywhere from $800-$1,000 a piece for new hardware.”
Rogers Petroleum, “bit the bullet” and paid to do the software upgrade and to secure its network in order to be PCI compliant inside the store. Now it turns its attention to its dealers to ensure they get compliant. “They’re lo
oking at us for answers,” Matherly said.
But for most retailers, now the pressure is off as the deadline for compliance has been eased, leading some retailers to turn their focus away from PCI and prioritize other business matters.
“The pressure has to come back on again before the majority of retailers take action,” Huber noted. “I’m not sure how that will happen. I don’t think it will be another deadline adding new pressure, but it might be a breach or a fine hitting the news and retailers then responding to that and taking action in order to prevent it from happening to them.”