By Pat Pape, Contributing Editor
As 2014 winds down, retailers face new regulations regarding credit and debit cards, potential fraud and security requirements, plus a late 2015 deadline for mandatory new technology.
Retailers on Jan. 1, 2015 will be subject to updated Payment Card Industry (PCI) Data Security Standards. Known as PCI 3.0, the new requirements impact merchants at all levels, but especially the Level 1 retailers who handle the largest number of credit and debit transactions.
Flash Foods of Waycross, Ga. is a Level 1 merchant, and currently, the 170-store chain is conducting a PCI audit with a February deadline. To be compliant, the company must report on 408 individual controls for 2015 compared to the 288 that were required by PCI 2.0 mandates.
“We have more than 100 additional controls to look at now,” said Jenny Bullard, chief information officer of Flash Foods. “They get into more details about how we operate and must segregate our network.”
The PCI updates come on the heels of highly publicized breaches of major retailers, including Target, Home Depot, Kmart and Goodwill. Hackers demonstrated the need for improved network segregation and security after they entered Target’s computer system through the network of an HVAC vendor and uploaded malware that collected more than 40 million credit card numbers. At Goodwill, a third-party payment vendor was blamed for a credit/debit card breach that impacted more than 300 stores nationwide.
The new PCI standards are designed to be more user-friendly, according to Stephen Orfei, former senior vice president of merchant payment technology at MasterCard and the newly appointed general manager of the PCI Security Standards Council.
“They’re focused on helping the merchant community increase their education and security awareness,” Orfei said of PCI 3.0. “For the convenience store audience, it specifically addresses POS devices, and it tells the merchant community to know your business partner. Ensure that your third-party providers are secure and PCI compliant.”
PCI 3.0 stresses consistent monitoring of third-party providers, plus better management of passwords and access to the card-holder environment. Orfei hopes it encourages better communications between merchants and their partners.
“A third-party should say ‘I’m coming in [to your network] on this day, I’ll be in for two hours and I’m working on this,’” Orfei said. “They should get in and get out and close that down. The real message here is to make sure the folks you’re dealing with have proper security practices and are in compliance.”
Retail operations aren’t the only businesses facing more regulations aimed at improved card security. Card issuers have until Oct. 15, 2015 to replace traditional credit and debit cards that have magnetic stripes with cards featuring the EMV technology.
EMV is an acronym for EuroPay, MasterCard and Visa—the merchant group that jointly developed the current standard. Long used in Europe, the EMV card has an encrypted chip inside that creates a new card number after each transaction. However to be effective, EMV cards must be used with specially designed POS equipment that can read them and then replace the existing card number. An EMV card may be used in a magnetic-stripe reader, but the card number won’t be replaced and the transaction will be no more secure than any other magnetic-stripe transaction.
To demonstrate support for the new technology, President Obama signed an executive order in October directing the government to take a leadership role in promoting the nation’s shift to EMV.
In January, the federal government will starting issuing chip cards for all of its programs, including SmartPay, a credit card for government employees, and Direct Express, the debit-card system that distributes benefits, such as Social Security. At the same time, all POS terminals in federal buildings, post offices and at national parks will begin accepting chip-card payments.
Although U.S. merchants are required to accept EVM cards by the October deadline, some industry experts believe only 70% of all U.S. cards issued will be EMV compatible by the end of next year.
As an example, observers point to Canada’s EMV rollout which began in 2003. A decade later, approximately 85% of Canadian POS systems accept EMV cards, despite the fact that Canada has a more centralized payment system and fewer POS terminals than its U.S. neighbor.
While EMV technology is an improvement over magnetic-stripe cards, making it difficult to create fake credit cards, it can’t protect sensitive data once it is passed into a merchant’s network.
“Big retailers say they’re going to install EMV to make your data safer, but experts know that EMV would not have stopped a Target or Home Depot breach,” said Russell Gibson, manager of marketing technical services for Sinclair Oil in Salt Lake City. “It’s going to solve some problems, but it’s not going to solve them all.”
Gibson would prefer to see end-to-end encryption, which would protect credit card information traveling between two points. The originating party would encrypt the data, which could be translated only by the intended receiver.
“You must take the card number completely out of the equation, with the mag-stripe reader encrypting the card data immediately so there’s nothing to skim,” he said. “If you can’t skim anything, you can’t counterfeit a card.”
The PCI Security Council advocates a layered approach to security, and “EMV is a critical layer,” said Orfei. “It will deliver on its promise and button down the point of sale. It will defend against counterfeit and [the misuse of] lost and stolen cards, and it will protect the physical point-of-sale environment. Fraud will migrate to the ‘card-not-present’ environment, [such as online or mobile transactions].”
The introduction of EMV cards requires U.S. merchants to adopt new terminals and software. Those who don’t upgrade to EMV-capable technology by the deadline may be liable for any costs associated with fraud resulting from the misuse of magnetic-stripe cards at their retail operation.
“We’re in the process of rolling out pin pads inside our stores,” said Bullard, whose company is working with Pinnacle Corp., a Dallas-based POS solution provider, to prepare for the debut of EMV. So far, each terminal has cost Flash Foods about $600, which is a minimal compared to the expense of updating gas pump technology, which must be in place by the end of 2017.
“Many retailers are in the same boat as we are,” she said. “We have some older pumps that cannot be retrofitted to take EMV cards, and they’ll have to be replaced to make them EMV capable. It will cost us a considerable amount of money. Even if pumps can be retrofitted, it will cost thousands.”
But technology developments never slow down, and many industry insiders are already looking ahead to widespread mobile payments. As EMV updates are being managed at Flash Foods, executives also are discussing the future needs for additional mobile technology at the gas island.
“When we, as an industry, introduce a new method of payment inside the store, consumers are going to want it at the pump too,” Bullard said. “Then, you’re faced with the question of how much to spend at the pump for payment options.”
Complying with PCI standards and staying on top of technology are expensive and ongoing, but Bullard believes the efforts have been positive for convenience retailers.
“As long as we’ve been doing [PCI] compliance, it gets a little more challenging every year,” she said. “Even though there are companies getting breached, I feel that PCI has helped the c-store industry. It’s forced us to be more secure, and that has brought us a long way.”
To learn what EMV equipment is in compliance with the Payment Application Data Security Standards, visit www.pcisecuritystandards.org.