Data protection, PCI compliance efforts yield mixed results; distributor class in crosshairs.
Three-store operator Larry Jackson went in two different directions to comply with Visabacked standards for data security. With help from his fuel supplier, Sunoco, he upgraded his registers and pumps with the proper systems and PIN pads at two stores.
For the third, an unbranded location, he took a bold step and stopped taking debit at the pump.
“We’re probably sacrificing customers because there’s no debit at the pump,” says Jackson, managing director of Good to Go Markets, Columbia, Md. “But we’re not going to spend until we’re positive about where things stand.” Jackson’s hesitance comes from a combination of today’s tough economy and uncertainty with how payment card industry (PCI) mandates will evolve.
In recent years, retailers under pressure from credit-card companies, major oil and the threat of actual security breaches have faced the conundrum of whether to invest thousands of dollars in necessary store-level systems or to jettison stores and, in the worst of cases, to leave the industry.
While the past two years have seen a buzz of activity, the whirlwind of enhancements has noticeably cooled. Deadlines—the most significant being a dispenser mandate back in July 2010— have passed, as has interest, say those following the data-security push. However, a large portion of the channel, as high as 70% of independent and small-chain operators, according to one data-security consultancy, remains at great risk.
It’s a risk that dominoes upward from dealer to the marketer-distributor class as major oil continues its retreat from retail, says Gray Taylor, executive director of the Petroleum Convenience Alliance for Technical Standards (PCATS), part of Alexandria, Va.-based NACS. The challenges include the following:
- A growing threat. New York-based Citibank was the latest big-name corporation to announce a breach, but other signs, such as renewed interest by federal agencies to reach out to the c-store space, may mean data thieves are rediscovering the channel.
- Dealer noncompliance. A large number of dealers have balked at the cost and effort needed to become PCI-compliant. Their ammunition is their original contracts, which in many cases say nothing about investing in data security, Taylor says. A large number are also in denial or misinformed about what’s required to not only attain but also maintain compliance.
- Distributor liability. With most of the major oil companies opting out of retail, liability may fall to the distributor class. That’s because liability traces back to the business holding the merchant I.D., or the identification number that allows a retailer to handle credit-card transactions. In the petroleum supply chain, it’s often the distributor or jobber holding that I.D., not the dealer.
- Encryption and tokenization. Taking credit-card data and turning it into encrypted or transformed bytes of information may be the near-term solution to PCI, says Taylor. As PCI evolves, retailer backing of such alternatives becomes stronger, he says.
The only true solution, says retailer Nathan Okolita, is to embrace data security. His company has stayed ahead of the curve, purchasing equipment and installing upgrades even before mandates emerged. Some of the improvements he made last year include changing personal identification number (PIN) pads and associated modules to what’s called triple DEZ, or triple data encryption algorithm, a necessary step to encrypt debit data— and one that retailers such as Jackson of Good to Go Markets opted not to do at some stores.
“It’s just prudent to have a good security policy in place,” says Okolita, system specialist for 30-store Pride Convenience Inc., Springfield, Mass. “It’s not the easiest route, but the ramification is … you lose the ability to process cards.”
An Ongoing Problem
Since 2004, San Francisco-based Visa and the other major credit-card companies have been pounding retailers with mandates, initially to halt storing card data either electronically or on paper at the store. The credit-card giants organized the PCI Council to vocalize standards and work with the retail community to establish mandates and then require compliance.
The rules imposed cost with uncertain ROI on manufacturers and retailers alike. Over time, system upgrades removed the ability for devices to store data, leaving retailers to close the human loopholes related to protecting data. On a checklist level, that meant retailers had to fill out surveys affirming they had taken the steps necessary to reduce risk.
Soon after, suppliers, data processors and others began physically separating card-transaction activities from other store-level functions, effectively reducing the scope of what PCI covered regarding devices and connections at the store.
Costs varied wildly, contingent on chain size, level of in-house expertise and product availability. For last year’s mandated upgrades, suppliers and retailers quoted a range of $100 to $300 for PCI-compliant PIN pads; $800 to $2,000 for dispenser upgrades; and $5,000 to $10,000 to upgrade POS registers.
While the council remained adamant about deadlines through most of this process, it seemed stymied by the strangely demanding transaction environment at c-stores. Multiple devices, numerous touch points, lottery, credit and debit, loyalty and ATMs were all in play. Eventually it pushed back enforcement until Aug. 1, 2012, presenting a limbo that many retailers seem to be languishing in now. To add to the malaise, the council seems even less inclined to invoke more rules on dispensers, according to Taylor of NACS.
Industry Report Card
To say the industry has turned a blind eye to data security is far from the truth. Many forward-thinking companies have spent time and effort—and hundreds of thousands if not millions of dollars—to address PCI compliance and achieve higher levels of security.
In a CSP Daily News poll taken in early summer, almost half (46%) of the 80 respondents characterized data security and PCI compliance as “high” on their list of priorities. (See sidebar on p. 90.) Companies from the largest chains to single-store independents win high marks from Shekar Swamy, CEO of Omega ATC, a data-security consultancy based in St. Louis. Chains with hundreds of stores typically have the IT staff and wallets to address data security and PCI compliance head on. For this segment, he says, enough time has passed to justify a systems review, especially since technologies such as wireless intrusion have entered the picture. Taking into account field experience and work with SIGMA and NACS, Swamy estimates 30% are noncompliant, primarily due to the ongoing nature of tasks such as reviewing the data that comes in and keeping up with evolving rules. The other group Swamy says he doesn’t worry about is the single-store operator. Because these retailers typically run the stores themselves, their close supervision often mitigates the threat.
The biggest challenge, he says, are chains with 25 to 200 locations, where the potential vulnerability of a single store is multiplied. In many cases, Swamy says, executives in these chains have an “erroneous understanding” of what’s necessary for adequate data security. That’s why his firm estimates a 70% noncompliance rate among these small- to mid-sized retailers.
“One of the CEOs of a fairly good-sized chain says to me, ‘It’s too much security; we don’t need it—all we need to do is make sure [PCI standards] are met,’ ” Swamy says. “IT people … are unable to convince senior management to do something about it.”
Retailers have a “false sense of what compliance means,” he says. “Just quarterly, external scanning [audits] and filling out an SAQ [self-assessment questionnaire] is not compliance.”
The main issue, he says, is the ongoing nature of data security. Many operators think completing the 80 questions on a PCI survey is sufficient. “In all these systems, back office or POS, you still have to monitor them,” he says. “Often the back office is overlooked, because it’s outside of the card data [scope], but it’s also an access point to all systems.”
Part of the problem for mid-sized companies is working with a large population of dealers or franchisees. Bob Carr, chairman and CEO of Heartland Payment Systems, Princeton, N.J., says there’s a large population of small operators who, because of cost or ignorance, are not addressing the issue in a serious way. “There’s just a lot of education and remediation that’s needed, and it’s going to take a lot of time,” he says.
As for liability, Taylor of PCATS believes more and more weight may fall on the middlemen. “We’re at a legal impasse,” he says. “Most are branded with the majors. And the majors did what their legal obligation was: get software vendors to [update] PIN pads, get marketers to install them and then provide secure data communication and best practices on isolating the environment.”
He says the rest of the system is now under the distributors’ control. “You don’t want to be the deepest pocket near a breach point,” he says. “And card [companies] are saying the franchisor is going to have liability on franchisee operations.”
The biggest concern is defining liability, he says: “You could have a good lawyer and see [that distributors] have a ton of liability. The second you specify POS, you’re already pregnant.” In his opinion, those looking for financial rewards will fine the dealer or initial merchant “just enough so they don’t go out of business. Then you go upstream to find more.” From a distributor’s perspective, William Shaver, executive vice president of retail for Atlas Oil, Taylor, Mich., believes his class of trade is receiving a tremendous amount of support from the majors. “All of our major suppliers have been very involved in assuring that their branded sites are in compliance,” he says. “They have offered their data warehousing and technical expertise to assist us. In many cases, since the data is flowing through their networks, they are deeply involved in compliance.” Atlas runs a third of its 375-site network through commissioned agents (in which Atlas owns and operates the fuel retailing) and handles 13 stores itself; the rest are traditional dealer operations.
The company has offered training, site inspections and Webinars to encourage its field-level partners to be proactive and responsible. “It has been expensive, but we have had good support and cooperation from retailers, dealers and suppliers to get this accomplished,” Shaver says.
Reviewing the System
Many believe the source of the problem is the system itself. Taylor of PCATS says the country is due for a major change in the card-payment system, evolving into something that would eliminate the need for PCI.
What NACS, PCATS and other related associations are looking for is a “transparent conversation” with those entities involved. “We want 10 years to plan rather than three years to upgrade dispensers,” Taylor says. “The incremental stuff is killing us.”
An interim step between today and that future system could be encryption, says Carr of Heartland. According to a white paper his company produced, 79% of the exposure to data theft evaporates by encrypting card data immediately as the card gets swiped. “We think that the reduction of scope of PCI is significant,” he says, citing how encryption at the pump for this industry would be a major step toward reducing risk.
The movement of payment involving mobile phones will also help the process, Carr says, with more and more consumers wanting to “tap” their phones to pay for things. “Operators are going to be changing their pumps to accept ‘tap and go’ technology using cell phones,” he says. “Then those transactions will be encrypted and security will go up by a giant leapfrog step.”
Another form of energy driving change may be a new attitude among retailers. Terry Mahoney, partner with convenienceretailing consultancy W. Capra Consulting Group, Chicago, says for the past several years, everyone involved in retail systems has been focused on meeting PCI requirements.
“What I am seeing now is a shift from just PCI compliance to a more comprehensive focus on card-data security,” he says. “Senior-level executives are seeing the cost figures related to recent card-data breaches and organized card fraud, and they are asking tough questions.”
The idea is that retailers and vendors are implementing additional security measures beyond PCI. “As new security measures are implemented, the criminals will adapt,” Mahoney says. “PCI will not develop according to some grand master plan—it will evolve to address card security weaknesses as they are exploited. [Retailers] are wondering if they will be the ‘slowest antelope’ that attracts the interest of the pack of lions.”
How to Lock Down a Pump
PCI rules sometimes fail to cover what many feel are obvious data vulnerabilities at c-stores. Data “skimming,” or placing devices on dispenser card readers, is one of them. Gray Taylor of PCATS and NACS believes that “locking down” the pumps by initiating steps to deter tampering may be an even better use of an operator’s resources than actual PCI compliance.
“Some guys may say, ‘On a risk basis, I’m not going to spend where the return is not there,’ ”
Taylor says. “It may not make economic sense to these guys. I’d rather see them spend money on locking down dispensers. That’s one place we have a problem.” Taylor says he’s not asking for PCI to mandate locking dispensers down. “We’re trying to get the industry to do it on its own,” he says. Here are some tips from NACS:
- Use serialized security strips over all access doors that need protection.
- Rekey the locks on dispenser doors that have access to electronic payment data.
- Consider investing in anti-breach kits for dispensers that many manufacturers now offer. These kits notify and shut down dispensers that are accessed without proper security-code entry.
Retailers concerned about data security should take precautionary steps that begin with attaining PCI compliance and evolve into active data-protection efforts. Here are a few steps NACS suggests:
- Start identifying systems that touch credit-card holder data.
- Get familiar with PC I standards through the PCI website at pcisecuritystandards.org or through NACS at nacsonline.com.
- Contact software and hardware vendors. Many have developed internal resources to educate users on PCI requirements and what their products offer in terms of compliance.
- Contact card processing and network service providers. These companies should also have protective measures in place.
- Conduct internal assessments.
- Consider hiring an outside consultant if things get too complex.
What (Else) Can Go Wrong?
Often, retailers believing they are compliant may lose sight of the obvious, which loops back to the ongoing nature of data security. Retailers can have detection systems in place to spot data thieves, but they have to monitor them. Here are a few tips from Omega ATC, based in St. Louis:
Go further (vs. not far enough). A retailer may believe that simply filling out a quarterly questionnaire or segmenting the card data environment will mean both compliance and data security. Such is not the case.
Keeping up with updates. Many of the monitoring systems are Windows-based, so retailers have to keep updated with patches and monitor file integrity.
Plugging vulnerable areas. Things such as default settings in many systems—sometimes opened by third parties—can give access to data thieves.
Monitoring for threats. One of the biggest mistakes a retailer can make is to install antivirus protection but fail to review the reports, allowing for an intrusion simply because no one did anything when the alert sounded.
Turnover. Typically the well-paid, central IT staff person is a constant, but his or her support staff may fluctuate, providing no continuity of experience and knowledge.