While many retailers are breathing a sigh of relief in regard to PCI compliance, Visa and MasterCard are constantly changing the rules, requiring stores to make costly changes and upgrades.
By John Lofstock, Editor.
When it comes to data security, all retailers need to be prepared for the worst scenario, but that can’t happen if they aren’t aware of PCI requirements and the severe consequences that can result from a data breach.
Recently, the National Retail Federation (NRF) and First Data Corp., a provider of electronic commerce and payment processing, released results from a survey of small- to mid-sized retailers, most with annual sales below $100,000.
An overwhelming majority (86%) said they want to ensure that their customers’ data is secure because credit and debit card security is vital to their business. However, almost two-thirds (64%) of respondents believed that their systems were not vulnerable to hackers, and 60% were not aware that credit card companies can require them to pay a fine for each card that must be canceled if their business is the source of a breach.
With so much at stake, most leaders in the convenience industry are convinced that PCI standards have been good for business, despite the demands and the deadlines they have generated.
For many operators, the emphasis on upgrading technology to support PCI has resulted in systemwide enhancements that go beyond strengthening data security. For example, many chains took the time to install new monitoring solutions to improve data protection, while providing around-the-clock monitoring of all network
components, from gas pumps to the point-of-sale (POS) to credit card interfaces.
Time to Upgrade
But upgrades are proving to be a costly and ongoing process. First it was PCI, now retailers have to prepare for the widespread launch of Near Field Communications (NFC), which is expected to become a widely-used system for making payments by smartphone in the U.S. While securing transactions isn’t as sexy as splashy outdoor marketing and promotions, its long-term implications for operators must be looked at closely.
Visa plans to accelerate the migration to contact chip and contactless EMV chip technology in the U.S. EMV stands for Europay, MasterCard and VISA, a global standard for interoperation of integrated circuit (IC) cards and IC card capable POS terminals and ATMs for authenticating credit and debit card transactions. The joint effort is aimed at ensuring security and global interoperability so that Visa and MasterCard cards can continue to be accepted everywhere. Upgrading the POS is a major issue with which the convenience store industry has been grappling, especially on the heels of PCI compliance costs.
“NACS welcomes the migration from the current, unsecured payment system, but is anxious to learn what financial incentives will be offered to convenience and fuel retailers to defray the huge cost of upgrading 800,000 dispensers and 300,000 points of sale,” said Gray Taylor, executive director of PCATS. “If Visa is coming to the market with reduced interchange, indemnification on fraudulent use of their products and relief for the retailer’s huge annual expense for PCI compliance, then we think there is a value proposition here. Without any one of these elements, it will be hard to justify the upgrade.”
Still, the landscape is changing very quickly, cautioned Bob Russo, general manager of the PCI Security Standards Council in Wakefield, Mass.
“EMV is coming in and mobile is here, so they need to check out some of the resources that the Council has available. It’s very, very important,” Russo said.
The Council, an open global forum that is responsible for the development, management, education and awareness of the PCI Security Standards, is offering training, from which a great many convenience store operators could benefit.
“This is really important for convenience stores, especially smaller operators,” Russo said. “Nine times out of 10 these are people who don’t really have any technical or security backgrounds. They want to run their stores and they don’t want to be bothered with any of this stuff, so they go out and hire somebody to make these upgrades. But it doesn’t always work out well. We hear the horror stories all the time.”
Updated PIN Standards
EMV is not the only new standard to which retailers must adapt. The PCI Security Standards Council in July published version 4.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) requirements.
These requirements, along with the Hardware Security Module (HSM) requirements, provide standards for device manufacturers to ensure merchants and others have secure devices for accepting and processing payment cards.
Point of interaction devices, such as PIN entry devices, continue to be a primary method for accepting and processing credit payment cards and a target for criminal attack. As part of its ongoing standards development process, the PCI Council makes updates based on industry needs and changing threats, to ensure the strongest technical standards for payment security.
Changes introduced in version 4.0 of the PTS POI requirements focus on increasing the robustness of the devices through enhanced testing procedures and streamlining the evaluation and reporting processes for both device vendors and testing labs.
The PTS POI requirements are updated on a three-year cycle, based on feedback from the PCI community. The development process also allows for minor update releases as needed—in October 2011, for example, the Council issued version 3.1 to support deployment of point-to-point encryption (P2PE) and mobile technologies. The new version builds on these updates to underscore the requirements’ applicability to traditional POI deployments—including Point-of-Sale devices, unattended kiosks, mobile dongles, and many other types of devices.
Key changes affecting convenience store retailers include:
• Restructured open protocols module. This restructured standard helps ensure POI devices do not have communication vulnerabilities that can be remotely exploited to gain access to sensitive data or resources within the device.
• Enhanced interface testing and logical security requirements. By requiring more stringent documentation and assessment of all interfaces of the device, will help ensure that no interface can be abused or used as an attack vector.
• Added source code reviews. Additional mandatory source code reviews enhance the robustness of the testing process.
• Introduction of a vendor-provided security policy. Provides guidance that will facilitate implementation of an approved POI device in a manner consistent with the POI requirements, including information on key management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements.
The requirements are available on the PCI SSC Website at www.pcisecuritystandards.org.
“The PTS POI requirements are critical to securing POI devices,” Russo said. “By continually enhancing the robustness of the program’s testing criteria we can ensure that these products are being tested and validated against the highest level of security.”
Vendors now have the option of testing against version 3.1 or version 4.0. Beginning in May 2014 version 3.0 will no longer be available for new evaluations, but may still be used for delta evaluations.
“With 3.1 we introduced changes that would help facilitate the use of point-to-point encryption technology and open platforms, such as mobile phones, to accept payments,” said Troy Leach, chief technology officer for the PCI Security Standards Council. “Version 4.0 continues to build on this by addressing all interfaces that potentially grant access to data or resources in POI devices, in addition to the critical communications channels, such as RFID, wireless, cellular and Bluetooth.”