As the deadline for PCI DSS 2.0 compliance approaches, chains should make sure they understand the changes— and triple check that they meet the requirements.
By Erin Rigik, Associate Editor.
On Jan. 1, 2012 all convenience store retailers must comply with PCI DSS 2.0 standards. While some chains have been ready for more than a year, others are still struggling to get up to speed.
Allsup’s Convenience Stores, which has 320 c-stores in Texas and New Mexico is ready. It began rolling out Redbox from Reliant Security to all its stores in August, after beginning the planning process back in February.
“We have our own in-house-developed POS system, and it has been in service for a number of years, and therefore it uses some older technology, so complying with some of the PCI regulations was difficult with the legacy software,” said Gary Holmes, chief information officer for Allsup’s. “We found Reliant had a unique way of addressing PCI security—that being their Redbox network appliance. It isolates the cardholder data from exposure and monitors for unauthorized wireless in the area to make sure hackers aren’t trying to break into the data. So between Redbox and secure encryption, customers can be sure their data is well protected.”
PCI compliance is a priority to Allsup’s. “We’re committed to providing great customer service and part of that commitment is ensuring we use all due diligence to provide financial security to our customers and take that responsibility seriously, and that’s why we use a good secure network appliance to protect that data,” Holmes said.
While Redbox is set to take Allsup’s most of the way through PCI requirements, Holmes noted that the chain will also need to follow up with more employee-centric requirements, such as ensuring passwords and user IDs are continuously changed.
Stinker Stores is also gearing up for the Jan. 1 deadline. It rolled out Cybera’s Cybera ONE integrated security service at its 50 retail locations in Idaho earlier this year. Stinker Stores originally created an in-house PCI compliance solution, but eventually switched to Cybera’s fully-managed service due to the lower cost and the ability to take the management burden off of its IT staff.
Cybera provided the Boise, Idaho, chain with a customized design tailored to its application and compliance requirements. The chain’s solution includes: on-site security appliance; managed firewall service; managed intrusion detection services; rogue wireless detection and reporting services; hosted security information and event management with alerting; 12 month remote log storage; online solution management portal; and access to a 24/7 security operations center.
“If any c-store chain isn’t ready for PCI compliance now, they had better hurry. It’s a big project and there are many issues involved in PCI compliance, and if someone is just getting started now they’re going to have a very difficult time getting ready by the first of the year,” said Holmes. “Now that having been said, companies that used packaged software—if they use a POS system that is marketed by a major vendor of POS systems, the vendor has likely solved the software aspects of PCI compliance.”
Standards for PCI compliance are updated every three years. The move from version 1.2.1 to 2.0 was announced last fall, and stores have had an entire year to update their security in time for Jan. 1, 2012.
“You can, in fact, still use the old version 1.2.1 until Dec. 31, as long as the new system is in place by Jan. 1. But our suggestion is to use the new version now,” said Bob Russo, general manager for the PCI Security Standards Council.
PCI DSS is the basic standard for PCI compliance that includes 12 requirements covering six specific goals from physical security to logical security.
“Recognize that the PCI DSS changes from version 1.2.1 to 2.0 are not monumental changes, however they should not be overlooked,” said Susan Matt, CEO of ThoughtKey, a consulting firm specializing in strategic advisory and review services for the payment industry. “The changes are simply clarifications and additional guidance on the existing standards.”
One major clarification had to do with the primary account number (PAN) on a credit card. “If you decide you’re going to store that account number, it must be rendered unreadable—you can encrypt it or use tokenization, but it must first be rendered unreadable,” said Russo.
But questions persisted: “If I store that PAN and I store the customer’s name, do I have to encrypt everything including their name?” The answer is no; only the PAN must be encrypted. “If I store the primary account number and I also store the expiration date, do I have to encrypt both?” Again, no, just encrypt the primary account number.
“Those are the kinds of clarifications we needed to make within version 2.0. Some people think the council itself makes up these standards, but this is done from feedback from all of our constituents—we have almost 700 companies from retailers to associations, banks and vendors—who are all part of the council and who give us feedback on how we need to update these standards,” Russo said.
Logging is another aspect that is updated in the 2.0 version. “We want to make sure that everything that happens is in a log somewhere because, generally, if a breach occurs when the forensics people come in to see what happened, they always find what went wrong in the log,” Russo said. To be compliant by Jan. 1, stores need to ensure they have logging turned on and have one centralized log as opposed to many logs.
Reviewing those logs on a regular basis has helped merchants identify and fix potential breaches immediately. “That can be the difference between millions of credit cards compromised because no one has looked at the log in two months, and only five cards because someone was monitoring the log and took action,” Russo said.
Prioritizing risk is another aspect that has been clarified in the new version. Risks are different for every merchant. Two retailers can have the same vulnerability but have it rate differently in terms of risk.
“It used to be an assessor would come in and say, ‘You have 10 vulnerabilities and they all have to be fixed immediately for you to be compliant.’ But maybe vulnerability No. 9 is very obscure based on my risk profile. I understand it needs to be fixed, but I don’t need to stop everything and fix it—I can determine which vulnerability needs to be immediately fixed and which can wait a week,” Russo said.
That said, organizations can’t arbitrarily classify a vulnerability as high, medium or low risk. “There needs to be a valid and documented methodology supporting the reasons,” Matt said. “I encourage organizations to work with their QSA on the best approach and/or research the methodologies if you self-assess.”
Standards on scoping are also updated in the new version. Stores must scope the network to determine where they are vulnerable and where they are processing card data. “If you’re not processing credit card data in this part of your network, you really don’t need to do that much with that part of your network,” Russo said. “So before starting down the path of becoming compliant you really need to scope out your network to make sure you’re not doing more work than you need to be doing.”
Matt advises retailers to read through the PCI DSS & PA DSS version 2.0 Summary of Changes Memo published by the PCI Security Standards Council and to engage a QSA to discuss the changes and the potential impact on their chain.
“I also recommend to all of my clients a review of the PCI DSS standards and the subcomponents annually. You would be amazed at how much you can continuously learn each time you read the document,” Matt said.
Matt also recommends double checking that all requirements have been implemented and then having that validated in writing with any companies you are trusting to support or host the payment environment.
Ready or Not
As she continues to support merchants through litigation following a data breach, Matt it is still surprised at how much of a gap still exists on PCI DSS across organizations of all sizes.
For larger organizations with a full-time IT staff, the transition from version 1.2.1 and 2.0 should be uneventful. “But for smaller organizations or those with fewer IT resources, the risk assessment requirements, scope reduction proof and virtual server reviews may prove more resource intensive so start ASAP,” Matt said. “I cannot emphasize enough the importance of taking PCI DSS seriously. Taking the smallest steps forward in achieving PCI DSS compliance can provide a significant amount of protection from a breach and the associated litigation liability.”
“The last thing you want is a breach,” agreed Russo. “Not because there are fines—that is the least of your worries. If it gets publicized that you’ve been breached, it can cause such damage to your reputation and the absolute worst thing that can happen is that your customers lose confidence in you.”
Dealing with Skimming
Skimming, where a thief places a device over the ATM or gas pump credit card slot in order to steal card data, continues to worry retailers.
Gas pump skimming in particular has been a favorite topic of news organizations in the midst of growing gas prices, but John Buzzard, client relations manager for the Fair Isaac Corp. (FICO), said incidents of gas pump skimming in 2011 so far are lower than last year. “We might finish up 2011 with a tame year for gas pump skimming and then experience a huge increase next year—no one can predict where the trends will fall. The best idea I have for convenience stores is to follow the two C’s: compliance and common sense,” he said.
Buzzard offers the following tips to prevent skimming at convenience stores:
• Install surveillance cameras with DVR storage capacity at all gas pumps, cash wraps and ATM locations. Cameras should be positioned to record actions and not payment card or PIN information, and footage should be held for a year.
• Some retailers are adding “seals” and asking consumers to report any broken seals that might indicate tampering.
• Reset and change system passwords on all POS software.
• Multi-location retailers should have district management randomly inspect gas pumps and POS devices for security. “This is not a job for store personnel to perform alone for a variety of reasons,” Buzzard noted.
• If a POS device has no connectivity, the incident should be immediately recorded.
• If you suspect POS or gas pump skimming, contact the closest U.S. Secret Service field office. “Every case is handled discreetly with the emphasis placed correctly on stopping the criminal in their tracks,” Buzzard noted.
• Retailers should invest in PCI-compliant POS devices, and should be truncating payment card numbers on receipts.