The SWAT Team
During its brief tenure, the PCATS Data Security Standards committee has proven extraordinarily active, holding biweekly conference call meetings that are regularly attended by as many as 50 members. As PCATS Executive Director Gray Taylor pointed out, “These aren’t single-site operators. These are people who are in charge of security for major oil companies, and from all the major point of sale providers.”
The robust group of folks is led by Ann Seki, PCI program manager in Chevron’s marketing organization.
The strategy has been to break down a highly complex program into parts and attack them separately. As Taylor described it, “We’re really breaking it up into chunks. Instead of addressing it as, ‘How do we get this industry to a higher level of data security?’ the approach has involved viewing it as 20 or 30 different projects.”
For instance, the committee had Roger Tripp from Cenex lead an effort to put together a recommended training program schematic, Taylor said. “Then we had the guys from Dresser Wayne and Gilbarco work with Trinette Huber of Sinclair Oil to come up with a real down and dirty, simple ‘here’s how you lock down your dispensers’ method.”
Taylor predicted the industry will see more and more of that kind of approach. “Trinette is now leading a second group on network segmentation,” he said. “It sounds as dry as toast, but what it really is about is how do you isolate your card-handling environment from the rest of your store, yet still allow your store to function?”
Comparisons to the military are not unreasonable, Taylor conceded. “As we see little conflicts popping up, we’ve proven in the past we can put a SWAT team together and have a best practice out of it in six weeks that we release to the rest of the industry.”
The Petroleum Convenience Alliance for Technology Standards (PCATS) Data Security Standards Committee, launched in September, is working hard—and smart—to assist an industry notoriously slow to adopt new technologies.
The committee’s mission is to provide the convenience store and petroleum industry with a technical focal point on data security and data security standards and mandates; to stay abreast of PCI data security standard initiatives and provide clear guidance on best practices and deadlines, determine the impact of data security standards on all existing PCATS standards; and identify and implement promising data security technologies brought forward by committee members that further meaningful data security in our industry.
The committee is also working to ascertain the industry’s key data security drivers, establish short-term committee goals and lay out a plan to meet their objectives to help position members in the forefront of data security-related issues. Also on the agenda: establishing data security standards best practices that leverage and secure the significant IT investments made by the c-store industry; and minimizing industry investment and uncertainty around security mandates by taking an active role in creating retail data security standards.
PCATS, founded in September 2003 to continue the development and maintenance of standards work initiated under the NACS Technology Standards Project, is tasked with developing, maintaining and assisting members in the implementation of a variety of technology standards.
“Card companies and PCI have issued far reaching security mandates to retailers, intended to help secure consumer card and transaction data,” said PCATS Electronic Business-to-Business committee chair Alvin Fortson, director of network systems development for The Pantry Inc. “Our industry’s cost of complying with these mandates will exceed $3 billion, not including fines for non-compliance. As retailers, we share the goal of providing customers a safe and secure card payment infrastructure. This committee will further this goal by providing concise, cost-effective solutions needed for retailers of all sizes to reduce and eliminate security risks.”
The first thing that the committee will achieve, according to Gray Taylor, NACS’ card payments consultant and the executive director of PCATS, is clarity. “The problem you have is that behind the scenes of data security you’ve got a bunch of lawyers running things. So Visa is very careful about what they come out with, PCI is very careful about what they say, and so forth.”
What Taylor refers to as the main reason PCATS was formed was that “none of us knew what the hell we were talking about,” he said. “By getting everybody in a room and pouring over the latest press release we actually can bring some clarity to this thing.”
Until last year, Taylor recalled, keeping up with changes largely meant keeping track of deadlines for compliance. Going forward, the thrust will be on being sensitive to nuances. Still, staying on top of the latest standards is vital. “You need to keep up with the frequently asked questions because that is where you are going to get some explanation about what they mean by the standard,” he said.
Hence, an integral part of the committee’s function will simply be to provide realtime, qualified industry experts who are always looking at the latest information and asking, “What does it mean?”
“The second thing is advocacy,” said Taylor. “We have submitted some changes to PCI that would allow the majority of our retailers who have to fill out this SAQD (Self-Assessment Questionnaire D) to instead fill out the SAQC, which means basically a six-fold reduction of the questions they have to answer.”
Taylor called the SAQD “ridiculous” for its complexity. “I’m a pretty technically savvy guy, and I can’t go through it and answer all those questions on my home network,” he said. “Unfortunately, they’re pretty much requiring your single- and two-site operator to go through this questionnaire and fill it out. It was ridiculous. I’ve been pointing that out now for the last 18 months.”
Standardization and Direction
The committee keeps everybody communicating the same way, said Dale Williams, director of operations and information technology for Walters-Dimmick Petroleum Inc. in Marshall, Mich., who conceded there is a wide swing of best practices at present.
“If you’re doing EDI-type data transmissions and everybody sends in different formats, there can be confusion. You don’t want to have ways of reading different data,” Williams said. “But if everything is standardized then you could have a program able to do the processing and communicating between your vendors and yourself.”
Indeed, the situation may be even more challenging, Williams suggested. “I’m not sure a lot of companies even have best practices yet. I think a lot of people are still trying to feel their way through PCI security, and they’re looking toward the leaders in the industry to give direction.”
Direction has been forthcoming from several sources, Williams confirmed. “We’re a Shell jobber, so we get some direction from Shell on how to deal with PCI stuff. We have all Gilbarco equipment, so we got a lot of information from Gilbarco. But there may be some processors that are a little bit behind the times on dealing with PCI. Some people don’t even understand what it is. Even within our Shell network there are some Shell jobbers out there who are still saying, ‘What is PCI?’”
Walters-Dimmick, with 82 company sites, has found the major challenge presented by PCI compliance to be the cost of upgrading equipment, Williams revealed. “It has been very expensive. We have had to spend over $2 million.”
Additional guidance, Williams added, will be welcome. “We’ve been dealing with PCI for three years. I know there are a lot of companies that are way behind and don’t necessarily have the technical backbone to address it,” he said. “Some of the smaller guys need that guidance and that direction.”
For the remainder of this year and the first part of 2011, Taylor said the committee is going to be spending a lot more time defining just what is in the new Data Security Standard, which was released in September. The committee has not yet done what he called a “complete forensics” on it yet because a comprehensive look at it won’t be possible until early November.
“The Data Security Standard can be published, but until you see the self-assessment questionnaires and the frequently asked questions you really don’t know in which direction they’re heading,” Taylor said.