When he thinks of PCI compliance, Ed Freels, director of information systems for Honey Farms Inc. recalls an old t-shirt slogan from the 1970s, “It showed the AC130 gun ship from the Vietnam era and it said, ‘You can run, but you’ll just die tired,’ and PCI compliance is no different. The most dangerous merchant out there is the one who has deluded himself into thinking he doesn’t have to do anything.”
Freels, who oversees 35 Honey Farms stores in Massachusetts, said achieving data security isn’t just a checklist, but a process that continues everyday.
By now most retailers are familiar with the term PCI compliance and the rapidly approaching June 30 deadline requiring that all PIN entry devices (PEDs) issued before 2004 be upgraded to PCI-approved PEDs; all in-store POS terminals be certified PCI compliant and equipped to process debit transactions using Triple Data Encryption Security (TDES); and fuel dispensers be overhauled to include TDES with PCI-certified hardware.
While Visa announced it wouldn’t be handing down fines for noncompliance until 2012, it moved to indemnify itself by reporting that any chain guilty of a breach during that time be liable for fines and damages.
Complete PCI DSS compliance goes even further, consisting of a set of 12 standards chains must address regardless of their size. For a store to be deemed compliant it must be audited on each standard. Confounding matters, being PCI compliant and data secure are not mutually exclusive.
“PCI compliance involves protecting credit card data—not anything else, so a lot of the focus has been on securing magnetic strip data at the c-stores, but there is also other data chains should look at to be data secure—and that depends on what information a chain collects and stores,” said Trinette Huber, manager of information security for Sinclair Oil Corp., and a member of the PCATS data security committee.
Taking the First Step
While most c-store chains worked down to the wire to meet one aspect of PCI compliance—the mandate to update their software by June 30—that does not make them compliant, Huber noted. “There is a huge misconception that once store operators do that they’re done. We look at it as a three-leg process. One—upgrade your software. Two—have policies, procedures and training in place. Three—secure your network,” she said.
Sinclair Oil contracted with VendorSafe Technologies to help it cover the array of network requirements necessary for compliance. “You can’t just go out and buy a firewall and think that you’re going to be compliant,” Huber warned. “A lot of people have DSL routers with default firewalls on them and that is not going to work.”
A small chain itself, Honey Farms is tackling PCI compliance head-on. It has been using Pinnacle Palm for more than six years and through updates issued by the company has taken steps to protect cardholder data.
Of its 10 gas locations, seven are integrated with Pinnacle products. Customer transactions are routed through Pinnacle’s POS and credit network before it interfaces with ExxonMobil or BP. “The way the Palm is designed the track data is never stored on the register or in the Pinnacle system, so if we were to be hacked or someone were to gain access to the register there is no prior credit card data there to steal. The software encrypts the transaction using Pinnacle’s credit server and our secure connection, and nowhere in our system is the full track data ever deposited,” Freels said.
Pinnacle uses Coalfire as the PCI assessor. “They come in and certify the product every time they release an update, so we already know it’s been certified by QSA before we put it in the stores,” Freels added. “Some chains buy a product and think they’re PCI compliant, and that’s far from true. PCI compliance is a process and there’s still a ton of stuff that has to be done, but the more we can automate it the easier it is.”
For level four merchants, becoming completely PCI compliant is an even bigger challenge due to the financial burden.
“Most level four merchants cannot afford to become PCI compliant as a whole, but there are a few things they can do to really reduce risk, such as update POS software, make sure employees know how to help and are paying attention, and make sure your network is secure,” Huber said.
Stores that neglect to take these steps for PCI compliance and are breached can find themselves loaded down with fines that drive them out of business.
A forensic audit is mandatory after a suspected breach and can cost a small merchant in a three or four tier environment $10,000–$20,000, and could hit $100,000 or more for larger merchants, First Data Corp. reported. If there is a breach—and yes, even if you are PCI compliant you can still be breached—Visa could fine stores in the $5,000–$25,000 range and MasterCard might fine up to $200,000.
During a session on data security at NACStech in April, Craig Tieken, vice president of merchant product management for First Data warned retailers to focus on security, noting, “If you are secure you are compliant, but if you are compliant you are not necessarily secure.”
He recommended a layered approach to security. Instead of becoming 100% secure in one area, for better security try to reach 80% in operational controls, 80% in physical controls and 80% in human controls such as who can access data.Tieken stressed that both prevention and detection are needed for preventing theft. If it takes 6-7 months to notice a breach, a lot more damage—and subsequent fines—will result than if the problem is caught immediately.
Stores also need to be aware of how much data they’re holding onto and make policies regarding what information they are keeping, why they’re keeping it and for how long—then delete any data that isn’t needed. Chains also can use a processor service that will store the data for them—removing risky information from the c-store environment, while still allowing access for the sake of business intelligence information.
Go the Extra Mile
Further security can involve encryption, which is part of the 12 PCI compliance standards—it protects the cardholder information as it moves from place to place. Tokenization can also protect data when it is stored by substituting a token number for the data, so if the information is stolen it is useless.
Employees can help security by watching for suspicious behavior. “If someone comes in and says, ‘I’m here to replace your PIN pads and they know nothing about it—they need to know whom to call,” Huber said.
The Petroleum Convenience Alliance for Technology Standards (PCATS) recommends getting employees, from clerks to equipment providers, involved in the process, and helping them know what to do by instituting policies and giving them a document that explains data security and their role.
Honey Farms adds PCI compliance information to its quarterly newsletters to employees, as well as through periodic emails, posters and meetings about data security.
“Preach compliance until its part of your corporate culture,” Freels said. “The hardest thing to do in the c-store industry I’ve discovered in 15 years is change the culture. You have to make people believe the threat is real.” CSD