From escalating utility costs and credit card fees to labor and looming PCI deadlines, retailers have their hands full with a host of issues that are impacting their businesses.
No issue is as complex and timely as PCI compliance. The stakes in the PCI game are high and, as 2010 approaches, c-store operators need to make certain their equipment and processes conform to standards—or else.
By June 30, 2010, all fuel dispensers must be able to encrypt PINs according to Triple Data Encryption Standard (TDES), a method of increasing the security of data by encrypting it three times with different keys. By the following day, pumps that process debit transactions must be upgraded with encrypted PIN pads, and in-store, point-of-sale (POS) terminals have to be certified as PCI-compliant.
The task for operators is to make sure they are fully in compliance. If not, the consequences could be devastating. To get operations running smoothly, it’s going to take time, commitment and capital.
“The deadlines have been in place for years,” said Mark Lilien, a consultant with Stamford, Conn.-based Retail Technology Group. “The credit card companies are putting increasing amounts of emphasis on them, but the fact is (retailers) need to be compliant now. Regardless of any dates that are on there, the simple fact is that if you suffer a breach of credit card information, you’re not only facing the penalty element, but potential damage to your brand, your store. If you are a small business, it can be significant enough to almost put you out of business.”
Lilien recommended that convenience store retailers work with the PCI Security Standards Council, a group whose role is to provide standards and guidance on how to achieve credit card information security. “Time is of the essence,” he said.
Bruce Snyder, manager of IT retail systems for 395-store Kwik Trip Inc. in La Cross, Wis., pointed out that while credit card companies are not intending to levy fines for fuel dispensers that are not TDES by July 2010, “they did say that if you were to have a credit card breach, then you would be deemed non-PCI compliant because of the lack of the triple DES. Then they would have the option to give you additional fines based on that.”
July 1, 2010 is really the date that they need to be on a compliant device and, if at all possible, on a compliant PIN pad, said Paul Culver, payment solutions manager for CHS Inc., which operates and supplies thousands of c-stores under the Cenex brand.
In the Midwest, Culver noted, operators are not as predominately PIN debit as you would see on the Gulf Coast or elsewhere. “As a result, we see all of our merchants being on PIN pad compliant devices next July,” he said. “In fact, they are feeling pretty good about implementation. About 42% of our POS devices in our network are on compliant devices.”
While it’s not a supplier issue, Culver said in-store partners should be playing a role in getting stores where they need to be to get compliant. For example, Cenex works closely with Gasboy, a manufacturer and marketer of commercial electronic and mechanical petroleum dispensing systems. “They have a certified Payment Application Best Practices (PABP) application, and our merchants are moving forward on that,” he said.
Cenex merchants also expect certification on both Gilbarco’s Passport and VeriFone Ruby POS systems within the next two months.
Kwik Trip has been PCI compliant since 2006. Snyder said the date on which he is focused at the moment is July 2010, which is the deadline for TDES. “The credit card companies are mandating that every encrypted PIN pad device must have tamper awareness by then,” he said. “They must be encrypted at the point of entry, which means that the pin pad itself must be capable of encryption, and that encryption has to be at least TDES.”
The biggest challenge for Kwik Trip is that while its stores already use TDES on their registers, the coming standard extends out to the dispensers. “I think this is a problem that a lot of convenience retailers are going to have with their fuel dispensers,” Snyder said. “If you want to continue to do debit at the dispenser, you have to also have that same encrypted PIN pad at the dispenser.”
The biggest obstacle, and why retailers need to prepare now, is the cash outlay and the time it takes to get the work done. “We have undertaken the replacement of all of our existing keypads with encrypted pin pads on our dispensers,” Snyder said. “It is both a very expensive proposition and very time-consuming. For us, mostly, it is the expense of paying our oil equipment people to go out and take care of the upgrades for us.”
Kwik Trip operates 363 fuel locations, “making it a big job with lots of expense. It is quite time consuming to do this upgrade at the dispensers,” said Snyder, who estimated that it takes roughly an hour per dispenser, during which time the pumps are unavailable.
“We were bound by our processor to get a plan in place, and we have to update them monthly on our progress,” Snyder said.
The chain is now in the process of rolling the encrypted devices out to all stores. “We don’t know what’s coming, but we want to stay on the leading edge and make sure that, going forward, we continue to be secure for our transactions and for our customers. We’re protecting our customers,” Snyder said.
As 2010 approaches operators need to weigh their debit transactions against their credit transactions. “Most cards out there today are dual-purpose cards, which means we can run the credit rails on the debit rails,” Snyder said, so the costs of processing debit and credit transactions are much closer than ever before. “Debit used to be a lot cheaper, and now that gap has narrowed considerably.”
George Odencrantz, vice president of Sinclair Oil in Salt Lake City, predicted that operators are increasingly going to see the processors and the oil companies increase their standards. “The processors are going to say, ‘well, if you are not at this compliant version we are going to cut you off; we are not going to let you process cards through us.’ We are starting to see more and more of that all the time,” he said.
Where operators are not doing as good a job is the environment surrounding the POS equipment. “First of all it’s people: a bigger part of the spec has to do with training and having policies and procedures in place, and those sorts of things,” Odencrantz said. “We are not doing a very good job with those because those are more difficult. We are also not doing a very good job at looking at specific environments.”
For instance, chains may have a distributor with a great POS system that is compliant, “but he’s got it attached to his back office,” Odencrantz said. “If his back office has no firewall, he doesn’t have adequate antivirus protection in place and that is in violation with compliance. We have not done a good job with that either, again because it is more difficult.”
Difficult or not, the time for compliance is now. CSD