JACKSONVILLE, Fla. — The convenience-store industry is less than 10 months away from having to comply with the latest credit-card security standards at fuel pumps. By Oct. 1, 2020, gasoline retailers must integrate chip-enabled credit- and debit-card hardware and software in their fuel pumps (often called EMV compliance, referring to Europay, Mastercard and Visa payment cards) or risk paying the cost of future data breaches caused by skimmers at the pump.
While some retailers have enacted the new security measures at the pump, many others are delaying the move or ignoring it all together as they weigh the cost of compliance updates with the risk of a data breach.
Here’s one middle ground that retailers may want to consider.
In a typical retail environment, semi-integration is frequently talked about and even more common. However, semi-integration at the pump is an approach that is not considered in the petroleum industry even though it provides significant benefits along with a cost-effective retrofit solution for the pump.
Full integration includes the payment application as a part of the core point-of-sale (POS) solution. It handles every aspect of a transaction, from reading the barcode scan to pushing the credit-card data to the processor and managing inventory. All card data is handled by the POS and therefore is in compliance with payment card industry (PCI) standards.
For each change done in a fully integrated solution, a complete certification of the entire solution is usually required by the processor to maintain the security and integrity mandated by PCI. Timing of a full integration can take months to complete and include full certification of the POS, forecourt and payment processing hardware and software components of the solution. Anytime a change is made to any of these, a full certification can be problematic in the event of software recycles and custom changes, as well as time consuming to both the POS provider and merchant to deploy new solutions to the field.
With semi-integration, the terminal or device used to capture customer card data is connected to the POS application. There is clear separation from payment and the actual transaction. In a semi-integrated solution, the transaction from POS is often connected only with a single piece of data tying the card authorization from the terminal to the transaction processing and backend systems (forecourt, back office, etc.). All card processing bypasses the POS and goes directly from terminal to the processor. Therefore no sensitive data is shared with POS and PCI compliance is not in effect for the POS transaction itself.
Further, semi-integration costs less as it is usually a simple API interface independent of POS software changes and/or semi-integrated solution changes. Thus full certification is done once and only repeated when the processor and terminal are changed.
With semi-integration, a POS and its components can turn software upgrades as quickly as the development cycles allow and deploy without having to include a certification of these changes. The scope is removed for PCI, and the merchant takes advantage of new features more quickly, thus, being a more cost-effective solution for the business while keeping the solution both PCI secure and reliable in operation.
A semi-integrated solution for stations using PTOPE (point-to-point encryption) direct to the processor, relaying the authorization to the POS for completing a transaction, removes the need for the partner POS to certify their solution. In addition, the cost of both implementation and operation are significantly less than the traditional solution, upward of 30% to 50%.
A good retrofit solution for a pump requires minimal downtime as a result of an implementation plan that upgrades by fueling position instead of entire site system. On average the downtime of any one fueling position is between 30 minutes to 1 hour all the while the rest of the store and fueling positions remain fully operational.
A semi-integrated, retrofit solution at the pump is a highly efficient way to bring a non-compliant EMV solution into compliance for the 2020 mandate.
Raymond Prothero is vice president of products and programs, Petro Solutions, for Sound Payments, Jacksonville, Fla.