Point-of-sale attacks at merchant locations have highlighted weaknesses in POS systems integration. Most of these attacks can be traced back to remote-access portals that were inadequately secured.
By Howard Riell, Associate Editor.
More than a few c-store operators grow anxious at the mention of anything to do with PCI compliance, and who can blame them.
No longer considered a small security issue that can be swept under the rug, PCI compliance has everyone trying to figure out how they’re going to maneuver through the back office complexities, and how they’re going to pay for it all.
Bruce Snyder, manager of information technology retail systems for Kwik Trip Inc. in La Cross, Wis., recommended that convenience store operators get busy with the most recent change in PCI 2.0. “Compliance standards now mandate that by April 2014 we transition off of Windows XP. That means we’ll have to be running Windows 7 or Windows 8, or some other POS-embedded/open-source operating system.”
The task is no small one.
“Switching an operating system poses another unique set of challenges for convenience store operators because the software applications that we run on these systems have to be compatible with the new operating system,” Snyder said. “In many cases today that is not the case. A lot of providers have yet to do any due diligence in this area.”
Kwik Trip, which operates 433 stores, is fortunate that its POS provider is prepared for the changeover. But even the logistics of installing a new operating system behind a chain’s POS platform and with all the business-related applications used to run the convenience stores—and making sure that it all works together—is a challenging process.
The process isn’t cheap either. Many retailers have been buying Windows 7 licenses for some time now on their PCs or even their cash registers. Or the registers may be, in some cases, already running a POS-embedded system. Such a situation would naturally incur less expense.
“But if you haven’t been doing that and you have to buy all new Windows 7 licenses for all your systems it could be extremely expensive,” Snyder said.
There are, according to Snyder, a number of POS products and software providers in the marketplace. While he is not prepared to speak to the readiness of operators across the industry, he does believe that many have been anticipating these changes, and for a basic reason. “It’s simply because XP has got to go away at some point. But never before has it been mandated that we actually switch to a different operating system,” he said. “It is a relatively new issue for everyone to digest out there because it just came along with the new PCI version 2.0, so I don’t know how many people are really there yet.”
Snyder suggested that there might be a tendency for convenience retailers to adopt a wait-and-see stance, which just might be a wise course. “My belief is that the PCI Council puts this out there and then waits to see what kind of blowback they get from the retail organizations,” he said. “Depending on what they get back in terms of complaints, they may adjust those dates to something that people feel would be more realistic.”
There aren’t all that many c-store operators who maintain large IT staffs. “For them to go and do this kind of thing might mean they have to elicit outside help and, of course, there is a pretty good expense that goes with that as well,” Snyder said. While he has yet to put a pencil to his own company’s costs, he still has a sense of the project’s scope. “Certainly, this is a huge effort even for a company with our resources.”
Kwik Trip is starting to ramp up its investment by testing new systems, reloading all of its software applications and generally rebuilding a new platform. Then it has to ensure all of the systems can communicate effectively with one another.
Snyder’s advice to colleagues? “Start planning and get it done. Start pushing your software providers to make sure that they are ready to go, so that you have enough time to complete the deployment within the PCI guidelines,” he said. “Potentially, this is as difficult—from an effort perspective—as anything we’ve done with PCI.”
Time to Upgrade
The landscape is changing very quickly, cautioned Bob Russo, general manager of the PCI Security Standards Council in Wakefield, Mass.
“EMV is coming in and mobile is here, so they need to check out some of the resources that the Council has available. It’s very, very important,” Russo said.
EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (or chip cards) and IC card capable POS terminals and ATMs, for authenticating credit and debit card transactions.
The Council, an open global forum that is responsible for the development, management, education and awareness of the PCI Security Standards, is offering training, from which a great many convenience store operators could benefit.
“This is really important for convenience stores, especially smaller operators,” Russo said. “Nine times out of 10 these are people who don’t really have any technical or security backgrounds. They want to run their stores and they don’t want to be bothered with any of this stuff, so they go out and hire somebody to make these upgrades. But it doesn’t always work out well. We hear the horror stories all the time: ‘My brother-in-law set up a Website once, and he’s setting up my PCI compliance and POS devices.’”
The PCI Security Standards Council recently released a pair of new training courses, one of which is called Qualified Integrators and Resellers, that could be of great interest to c-store operators.
“These are generally the people who c-store owners are calling on to install payment applications, POS devices and other things of that nature,” Russo explained. “They’re going to have to depend on these companies to install them—and install them correctly.”
Such installations don’t always go well, and the resulting damage could be devastating.
“A lot of times these guys will come in and, for convenience, they will open up a remote access window so that they can get in and make updates to the system,” Russo said. “But when you open up a remote access avenue, people can get in and that presents a serious compliance problem.”
Another mistake operators sometimes make is leaving in place the default password that came with an application, rather than creating a new one.
Tools to Succeed
The Council has developed a training and certification program for these qualified installers and resellers. The goal of the program is to make sure that these installers know what they need to do in order to install systems in a PCI-compliant manner. “And more importantly, give confidence to convenience store operators that they will be able to find qualified, certified experts that understand what their endgame is or are at least aware of how these things should be installed.”
Information can be found on the Web by visiting www.pcisecuritystandards.org.
The Council is also working hand in hand with a variety of trade associations, one of which is NACS, to reach its members. “We don’t have a lot of touch points for smaller merchants, so we’re partnering with the associations in order to get information to these people as quickly as possible,” Russo said. “We want them to feel confident in whoever is doing the installation at this point. But more importantly, we want them to find solutions to overcome some of these challenging PCI issues.”