CStore Decisions

  • Home
  • Today on CSD
  • Categories
    • CBD
    • Foodservice
    • Fuel & Gas
    • Health & Beauty
    • Independent Operators
    • Operations & Marketing
    • Technology
  • CStore Playbooks
    • CBD Playbook
    • Foodservice Playbook
    • Technology Playbook
    • Alcoholic Beverage Playbook
    • Tobacco Playbook
  • Products
    • Hot New Products Contest
    • Beverages & Cold Vault
    • Candy, Gum & Mints
    • Snacks
    • Tobacco
  • Resources
    • Digital Issues
    • Research & Downloads
    • Podcasts/How To Series
    • On Location
    • FAQ
    • 2022 Top 111 Chains
    • Leaders in Convenience
    • Rack Prices
    • Sponsored Content
    • Videos
    • Webinars / Digital Events
    • White Papers
  • Events
    • 2021 Chain of the Year
    • Convenience Directions
    • NAG Convenience Conference
    • Young Executive Organization
  • Join
    • National Advisory Group
    • Safe Shop Assured
    • Young Executive Organization

Processing PCI Confusion

By Erin Del Conte | September 30, 2010

Share

Many retailers are breathing a sigh of relief in regard to PCI, after this summer’s deadline for software compliance was relaxed after a request by the major oil companies, giving scrambling retailers a little more time to comply. But retailers be warned: chains that face a breach could still get hit with huge fines.

“Some operational problems developed as retailers hurried to install the latest software that met the Triple Data Encryption Standard (TDES), at the last minute,” said Trinette Huber, manager of information privacy and security for Sinclair Oil Corp.’s PCI program for the company’s 2,600 dealer-operated sites across 21 states.

Due to the crunch, glitches included software and technicians not being available because of last minute demand. While pushing the deadline was necessary, Huber noted it also takes the next step—securing the network—off the table until the current step of upgrading the software is completed.

The new deadline for software appears to vary—as each of the oil majors was required to request a new deadline if needed. “Some of them are announcing different deadlines to their distributors, but generally speaking the new deadline is around the end of the year, although I have seen some oil companies announcing the end of March 2011,” Huber said.

In addition to card readers and networks, there was some confusion on pin pads, both in-store and at the pump. “Operators thought they would have to do upgrades of the pin pads, and they don’t. Visa was very clear that we do not need to retrofit it. You only need triple DES going forward. All our locations are single DES Derived Unique Key Per Transaction (DUKPT), and are allowed to be so,” Huber said.

While Visa reportedly does not plan to institute fines to companies at least using single Des DUKPT, companies could still find themselves put out of business if they are breached due to customer boycotts and hefty audit fees. A forensic audit is mandatory after a suspected breach and can cost a small merchant in a three or four tier environment $10,000–$20,000, and could hit $100,000 or more for larger merchants, according to First Data Corp.

“It’s a big concern because if you have a breach at one of your chains and if your average consumer on the road sees that, they’re going to think, ‘I’m not going to take my credit card over there where my information could possibly get stolen.’ So that would take business away,” said Scott Matherly, vice president of IT at Rogers Petroleum in Morristown, Tenn. “I’ve also heard that if you don’t become PCI compliant, you take all the responsibility in a breach. At mom-and-pop stores, if they have one customer experience a case of identity theft that comes from their location that could put them out of business very easily.”

The PCI Journey
Phase one for Rogers Petroleum on the PCI journey was getting its 19 company-owned Zoomerz c-stores under compliance. Phase two now involves helping dealers become compliant and phase three will be maintaining compliance moving forward.

“For the most part we were ahead of the curve because we already met step one requirements at our company-owned stores—we had the firewall in place and a wide area network built into our back office system and each store has a VPN tunnel back into the corporate tunnel, so when we did that we put in firewalls and routers in each location and secured it all a while back, so before the rules for PCI compliance came out we were already doing that,” Matherly said.

Rogers Petroleum installed new Gilbarco Passport systems at the beginning of the year. “All the new Passport systems are TDES compliant now, so all credit card data is encrypted and all information transmitted over the public network is encrypted,” said Matherly.

As for the forecourt, Matherly noted he’s waiting to see what is definitely required when it comes to the pumps themselves. He hopes Visa will alleviate some of the requirements for the CRINDs. “We spent quite a bit of money just doing the software aspect and to turn around and say, ‘You need to do the pumps as well and spend quite a bit of money with that too,’ well we’re just not ready to do that right now,” he said.

Matherly would also like the credit card companies to give retailers a hand with meeting the mandates by offering rebates or cents-off processing fees to help offset the increased costs. “We’re basically doing this for their benefit, yet, they’re saying we need TDES because we need secure communications for our customer base,” he said. “They put the burden on the jobbers and the mom-and-pop storeowners who can’t afford it with the understanding that if we don’t they won’t do business with us.”

Skimming Concerns
The dangers of a breach are fresh in the minds of many retailers after reports this summer that thieves attached skimmers to gas pumps at more than 30 service stations of various brands in and around Denver.

“Skimming is a big worry, mainly because we’re seeing more and more of it. Visa is saying protection needs to be put in place, but there is no mandate,” Huber noted.

Retailers can be skimmed even if they update their encrypted pin pads. If thieves can’t get to the numbers, they’ll make fraudulent cards. Retailers are concerned because they’re not sure what such a breach would cost them and there is not a lot of discussion about it, Huber noted. Visa does not consider skimming a breach in the sense that it’s not PCI related because it’s a skimmer problem.

Huber recommends that to prevent skimming at the store level, operators should change their locks and add some physical changes, such as better lighting and video cameras to deter would-be thieves—all in all, an inexpensive fix.

Overcoming Confusion
While the first step for PCI—updating software—is still a challenge for many smaller operators, they need to begin the process as soon as possible by getting accurate compliance information.

“There is still a lot of confusion among retailers that as soon as they upgrade their software then they’re PCI compliant, and I’m afraid that gets perpetuated by the people selling them the software,” Huber said. The second step is securing the network. “The more complex your store environment is, and the more you start to add other systems such as IP-based systems, the Internet, etc.,—then the more you need to have network security,” she added.

“I think for convenience stores that didn’t have a wide-area network already, it was a lot to tackle at once,” Matherly said. Even though Rogers Petroleum had a head start in installing the software, it was a lot to learn in a short period of time because the mandates kept changing and mixed messages were being passed around.

“One month it was that it was only going to involve the POS system, and then the next thing we knew it was the CRINDs as well. It’s constantly changing,” Matherly said. “We’re constantly updating every CRIND we have, and that’s costly. We have an average of six pumps per store with two CRINDs per pump, so 12 total—and they want anywhere from $800-$1,000 a piece for new hardware.”

Rogers Petroleum, “bit the bullet” and paid to do the software upgrade and to secure its network in order to be PCI compliant inside the store. Now it turns its attention to its dealers to ensure they get compliant. “They’re lo
oking at us for answers,” Matherly said.

But for most retailers, now the pressure is off as the deadline for compliance has been eased, leading some retailers to turn their focus away from PCI and prioritize other business matters.

“The pressure has to come back on again before the majority of retailers take action,” Huber noted. “I’m not sure how that will happen. I don’t think it will be another deadline adding new pressure, but it might be a breach or a fine hitting the news and retailers then responding to that and taking action in order to prevent it from happening to them.”

Related Articles Read More >

Technology Is Raising the Bar for Food Programs
Customers Reach for Snacks
The Kent Cos. Sets Sights on New Market Growth
Calculating Energy Savings
Safe Shop Assured

CStore Decisions Newsletter

Sponsored Content

  • Create Some Positivity at the Pump: 3 Ways to Fuel Customer Experiences
  • How Minuteman Food Mart Ensures a Consistent Customer Experience Across 44 Stores
  • Three Challenges Disrupting C-Store Operations and How to Overcome Them
  • Why Wait? Converting to E15 is easy.
  • It’s time you profited from your checkout line

Get the Magazine

Subscribe Now!
Subscribe Now!

Manage Current Subscription
CStore Decisions
  • New CSD Print Subscription
  • Manage current print subscription
  • CBD Retail Trends
  • CStore Products
  • NAG Convenience Conference
  • Convenience Directions
  • Rack Prices
  • Subscribe to CSD’s E-Newsletter
  • About CStore Decisions
  • Advertise

Copyright © 2022 WTWH Media LLC. All Rights Reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media
Privacy Policy | Advertising | About Us

Search CStore Decisions

  • Home
  • Today on CSD
  • Categories
    • CBD
    • Foodservice
    • Fuel & Gas
    • Health & Beauty
    • Independent Operators
    • Operations & Marketing
    • Technology
  • CStore Playbooks
    • CBD Playbook
    • Foodservice Playbook
    • Technology Playbook
    • Alcoholic Beverage Playbook
    • Tobacco Playbook
  • Products
    • Hot New Products Contest
    • Beverages & Cold Vault
    • Candy, Gum & Mints
    • Snacks
    • Tobacco
  • Resources
    • Digital Issues
    • Research & Downloads
    • Podcasts/How To Series
    • On Location
    • FAQ
    • 2022 Top 111 Chains
    • Leaders in Convenience
    • Rack Prices
    • Sponsored Content
    • Videos
    • Webinars / Digital Events
    • White Papers
  • Events
    • 2021 Chain of the Year
    • Convenience Directions
    • NAG Convenience Conference
    • Young Executive Organization
  • Join
    • National Advisory Group
    • Safe Shop Assured
    • Young Executive Organization