CStore Decisions

  • Home
  • Today on CSD
  • Categories
    • CBD
    • Foodservice
    • Fuel & Gas
    • Health & Beauty
    • Independent Operators
    • Operations & Marketing
    • Technology
  • CStore Playbooks
    • Alcoholic Beverage Playbook
    • Candy Playbook
    • CBD Playbook
    • Foodservice Playbook
    • Technology Playbook
    • Tobacco Playbook
  • Products
    • 2022 Hot New Product Contest
    • Hot New Products Contest
    • Beverages & Cold Vault
    • Candy, Gum & Mints
    • Snacks
    • Tobacco
  • Resources
    • Digital Issues
    • Research & Downloads
    • Podcasts/How To Series
    • On Location
    • FAQ
    • 2022 Top 111 Chains
    • Leaders in Convenience
    • Rack Prices
    • Sponsored Content
    • Videos
    • Webinars / Digital Events
    • White Papers
  • Events
    • 2021 Chain of the Year
    • Convenience Directions
    • NAG Convenience Conference
    • Young Executive Organization
  • Join
    • National Advisory Group
    • Safe Shop Assured
    • Young Executive Organization

Card Networks Still at Risk

By CSD Staff | March 4, 2011

Share

Visa and MasterCard are among the payment providers targeted by “hacktivists”  calling into question the effectiveness of PCI compliance.

By Howard Riell, Associate Editor.

The arrest of WikiLeaks founder Julian Assange in the U.K. in early December got some people angry—and they took revenge.

A day after Assange was arrested and denied bail in London in connection with misconduct accusations in Sweden, MasterCard Inc., Visa Inc., eBay Inc.’s PayPal and the Swedish prosecutor’s office all reported technical difficulties with their Web sites that experts said came from so-called denial of service attacks, in which computers flooded servers to prevent them from displaying a Web page. In other words, they were hacked.

On Dec. 12, Amazon’s European Web sites were brought down and rendered inaccessible for two hours, costing it millions in lost revenue during the height of the holiday shopping season. The finger of blame once again pointed to so-called “hacktivists.”

While the attacks were more annoying than damaging, they left many c-store operators questioning the effectiveness of PCI compliance. After all the time and money they have invested—most estimates place the c-store industry’s tab at around $200 million—are convenience stores still vulnerable like MasterCard, Visa and PayPal? And if so, why bother?

“Read the papers,” said Bob Russo, general manager of the PCI Security Standards Council in Wakefield, Mass. “Stuff is happening every day, and stuff that you don’t hear about. You can’t imagine how much there is out there.”
What many c-store operators need to do is change the way they think of compliance, Russo suggested. “People are thinking of this in a compliance vein, and really what they should be doing is thinking of this more as a security issue.”

Ongoing Maintenance Required
Compliance, Russo explained, “is when the insurance company tells you, ‘Put dead bolt locks on all of your doors,’ and you say, ‘OK, fine.’ You put deadbolt locks on all of your doors, and now you think that your job is finished. However, two or three times a month you walk out your door and forget to lock it. What good is having a deadbolt lock if you don’t lock it? So really this is more about security than it is about compliance. That is the difference.”
Retailers need to think of PCI compliance as a vital process they must follow in order to protect their businesses rather than just a mess of required paperwork.

“To tell you the truth, we’re not just talking about the specter of a fine,” said Russo. “People think that the fine is really the onerous part of all of this, and it’s really not the case. It’s the fact that your customers will think that you are not protecting your data.”

Customers these days are getting smarter, but many don’t yet understand the difference between credit card fraud and identity theft. Many think that if their credit card gets stolen their identities are getting stolen.

“If consumers figure out that it’s happening at their local convenience store because that’s where they use their credit card most of the time, they may not shop there anymore,” Russo warned. “That’s the worst thing, when your customers walk away. So you really need to be thinking about security, not so much compliance.”

Protecting Customers
Paul Culver, payments solutions manager for CHS Payment Solutions in Inver Grove Heights, Minn., said convenience store operators would be wrong to come to the conclusion that PCI compliance is a waste of time and money.

CHS Payment Solutions is a division of CHS, which operates hundreds of convenience stores across the Midwest under the Cenex brand.

“I think the right message is that conceptually, when it comes to the whole PCI issue, bits and pieces of it may very well be more detailed than a lot of the smaller retailers want. But the fundamental behind it—securing consumer credit card data—is the right thing to protect customers. And it is the right thing to do to have the proper training with our employees—especially in the c-store business, where we see in many areas pretty high turnover.”

Culver said that he has seen evidence of this within his own retail group. Cenex trains new employees to treat credit card data as if it was their own card information. Helping make the education process easier is the fact that so many people have themselves had at least some indirect experience with identity theft.

“More and more these days someone will say, ‘Yeah, I know somebody who had a credit card stolen or was a victim of identity theft,’” Culver noted. “So I still think the principles behind PCI are right on because it’s about protecting our consumers and keeping them happy. That’s the fundamental mission to our whole convenience store world.”
When it comes to payment application devices, Cenex has all of its  2,800 sites on a compliant device. “It’s been a journey getting there,” he said. “But I think as folks learn from things we’ve done, things your organization has done, the industries have done, the process moves forward.”

PCI Facts of Life

Bob Russo refers to it as a modern day fact of life. “When was the last time you got on an airplane? Everything has changed,” he said. “It’s all about security these days.”

Here in the U.S. there are breach notification laws. “Any time there’s a breach everybody knows about it. It’s difficult to keep a customer from saying, ‘Maybe the reason I lost the use of my credit card for three or four days while I had to wait for a new one to come was because it got breached at my local convenience store,’ Russo said. “That’s the real, real issue here.”

To that end, the PCI Council has done a lot of good things for c-store merchants. It meets on a regular basis with a number of associations to receive input as to what their members are saying and doing. The council now has a merchant micro site on its newly redesigned Web site, www.pcisecuritystandards.org, where retailers can learn about the things they need to do to protect themselves.

Russo stressed that the areas retailers should be focusing on are not that technical. For example, breaches at point-of-sale (POS) terminals. POS systems are often breached because someone has opened it up and put a skimmer over it or something of that nature.

“Retailers need to get in the habit of taking a picture of a POS system when it’s first installed and keeping it safely in a file,” Russo advised. “Once every couple of months pull the picture out. Does it still look the same? For example, there were three wires coming out of it when you got it. Are there still three wires coming out of it? Those wires were all straight—is one of them curly now? A lot of this is just common sense, but you would be surprised at how many merchants still don’t know what the obligation is to be compliant, and the reason for that is that there is an education issue here.”

Related Articles Read More >

FDA Plans Proposed Rule to Establish Maximum Level of Nicotine in Cigarettes
Smokeless Tobacco Faces Local Regulatory Pressure
C-Store Loyalty Programs Grow Customer Engagement
Expanding Tobacco Accessories
Safe Shop Assured

CStore Decisions Newsletter

Sponsored Content

  • Create Some Positivity at the Pump: 3 Ways to Fuel Customer Experiences
  • How Minuteman Food Mart Ensures a Consistent Customer Experience Across 44 Stores
  • Three Challenges Disrupting C-Store Operations and How to Overcome Them
  • Why Wait? Converting to E15 is easy.
  • It’s time you profited from your checkout line

Get the Magazine

Subscribe Now!
Subscribe Now!

Manage Current Subscription
CStore Decisions
  • New CSD Print Subscription
  • Manage current print subscription
  • CBD Retail Trends
  • CStore Products
  • NAG Convenience Conference
  • Convenience Directions
  • Rack Prices
  • Subscribe to CSD’s E-Newsletter
  • About CStore Decisions
  • Advertise

Copyright © 2022 WTWH Media LLC. All Rights Reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media
Privacy Policy | Advertising | About Us

Search CStore Decisions

  • Home
  • Today on CSD
  • Categories
    • CBD
    • Foodservice
    • Fuel & Gas
    • Health & Beauty
    • Independent Operators
    • Operations & Marketing
    • Technology
  • CStore Playbooks
    • Alcoholic Beverage Playbook
    • Candy Playbook
    • CBD Playbook
    • Foodservice Playbook
    • Technology Playbook
    • Tobacco Playbook
  • Products
    • 2022 Hot New Product Contest
    • Hot New Products Contest
    • Beverages & Cold Vault
    • Candy, Gum & Mints
    • Snacks
    • Tobacco
  • Resources
    • Digital Issues
    • Research & Downloads
    • Podcasts/How To Series
    • On Location
    • FAQ
    • 2022 Top 111 Chains
    • Leaders in Convenience
    • Rack Prices
    • Sponsored Content
    • Videos
    • Webinars / Digital Events
    • White Papers
  • Events
    • 2021 Chain of the Year
    • Convenience Directions
    • NAG Convenience Conference
    • Young Executive Organization
  • Join
    • National Advisory Group
    • Safe Shop Assured
    • Young Executive Organization