Current Issue    |    Past Issues    |    Contact Us    |     Advertising    |    www.pei.org

Cutting Prices
Business Blogging
Disaster Planning
Young Employees
RP 800
TOPIC ARCHIVE
Alternative Fuels
Best Practices
Business Development
Education
D/M Partnership
Equipment Edge
Human Resources
Industry Forecast
Installation & Construction
Letters
Money Matters
Member Profiles
PEI Committees
Projects of Note
Safety Spot
Sales & Marketing
Service Front
Technology Advisory
Technical Talk
INSIDE PEI
President's Perspective
The Renkes Report
People of Tulsa
Distributor Member Interest  Manufacturer Member Interest  Affiliate Member Interest  Service & Construction Member Interest  Operations & Management Interest
  Print this Article E-mail this Article Comment on this Article
       

The Security Lockdown

Will new PCI regulations lock some fuel retailers out of pay-at-the-pump?

By Tim Weston

It is no secret that financial data theft is on the rise, and it is costing both consumers and retailers millions of dollars and many sleepless nights. One area of concern is fueling sites that support pay-at-the-pump. Gas pumps can be particularly vulnerable to criminal activity because of their outdoor location and, in some cases, the age of the equipment installed ten years ago or more.

As technology evolves, criminals are discovering new ways not only to steal fuel, but also to access valuable payment information. Some theft methods are as simple as installing a camera to capture credit and debit card Personal Identification Numbers (PINs). Others involve more complex, technologically sophisticated means, such as overlaying keypads with data skimmers or intercepting the transfer of data over network connections. Either way, the trend poses a serious problem for retailers and credit companies entrusted with protecting consumer information. A breach in security, as some businesses have learned the hard way, results in negative publicity, undermines customer confidence, erodes your brand and can cost big bucks.

What is PCI Compliance?
The industry is responding to these evolving threats with heightened vigilance, and the Payment Card Industry (PCI) Security Standards Council, an organization consisting of major credit companies, is aggressively combating the problem through stringent payment security regulations. Known as PCI Data Security Standards (DSS), these mandates ensure that secure payment devices used in retail applications offer strict protections against financial fraud.

PCI Compliance Deadlines

PCI Encyrpting
PIN Pad (EPP)
Regulations

 January 2009 July 2010
New Dispensers
Newly deployed dispensers must contain a TDES encrypting alogorithm-capable PCI-certified EPP Keypad (U.S.).
 All Dispensers
All dispenser keypads must use TDES encryption and be PCI certified (Global).

Fast-approaching compliance deadlines have elevated a set of these regulations to a major priority for fuel retailers. The PCI Encrypting PIN Pad (EPP) specifications apply to all businesses that accept PIN-based debit transactions. For most fuel retailers, this includes fuel pumps with pay-at-the-pump capabilities. For many, it means an additional investment in their forecourt equipment in order to increase the protection of PINs entered on the dispenser keypads.

In addition to PCI EPP regulations, the council is working on an upcoming set of standards for Unattended Payment Terminals (UPTs). This standard will broaden the security protections to include magnetic stripe card data and display prompt controls and will be applicable to fuel dispensers and other self-service terminals. Publication of the PCI UPT specification is expected in the third quarter of 2008, and compliance deadlines are sure to follow shortly thereafter. Until then, fuel dispenser payment terminal manufacturers are wasting no time developing products that will provide retailers with compliant solutions. Likewise, retailers are quickly coming up to speed on current regulations and sorting through their options.

The Challenge of PCI Compliance
Perhaps the most obvious challenge that PCI compliance poses is the initial investment outlay for retailers who must purchase new compliant gas pumps or retrofit existing pumps with compliant payment terminals. Already a margin-sensitive industry, many fuel retailers are struggling with budgeting for the expense. Some are even considering the possibility of not offering debit transactions at the pump, a business-damaging liability given that in some cases nearly 40 percent of transactions are debit, and that number is growing.

Another challenge is the complexity of the regulations. In addition to PCI regulations, other organizations around the world, such as Interac in Canada and EMV in Europe, are stipulating region-specific payment security mandates. This is no small issue for large businesses with sites around the globe.

A third challenge is the complexity of the technology involved in establishing a secure payment solution. The truth of the matter is that data does not automatically remain encrypted until it reaches the financial institution. To secure data throughout the entire process, it should be encrypted at each stage, including encryption as it travels between the internal components of the payment terminal. While the regulations do not require encryption of all data between all points, it is a consideration for retailers who want to maximize security.

A New Game for Distributors
Distributors are also faced with changes to their businesses as a result of the new regulations. In the coming months and years, they can expect to feel the impact of replacing large volumes of payment terminals. This will, of course, require more staff and more efficient ways of managing accounts.

Education and support is another area where distributors can expect changes. Salespeople and technicians will be required to increase their technical skills and understanding so they can help guide retailers through the transition. Additionally, new guidelines and best practices will need to be established throughout the industry to handle PCI EPP compliance for today and for future evolutions of the standards as the industry continues to stay ahead of criminal sophistication.

Deadlines for compliance have elevated regulations to a major priority.

PCI Compliance and the Customer
In a world where the fear of identity theft is a major worry, PCI compliance will have a positive impact on retail fuel customers. Consumers can refuel their vehicles and pay at the pump with renewed confidence that their financial data is protected. In all honesty, most customers will not be fully aware of PCI compliance, as high gas prices are more likely to be on their minds. But PCI compliance provides an opportunity to educate consumers about another way in which you are looking out for their interests. Using marketing materials and on-site signage to mention that their site is secure according to the latest regulations is good for public relations.

Painlessly Establishing Compliance
Amidst the confusion and doubt that PCI compliance is creating, there are increasingly more resources available to help retailers establish compliance. A growing number of businesses are offering comprehensive PCI compliance audits and implementation services. A list of recognized Qualified Security Assessors (QSAs) and additional information about PCI regulations can be found at the councilís Web site at www.pcisecuritystandards.org. Equipment vendors are another good resource for information about regulations and compliance issues.

No matter which resource you turn to for help, here are some general guidelines to keep in mind as you consider a solution:

  • Look for the flexibility to upgrade to future ver- sions of regulations. A solution certified to PCI EPP Version 2.0 can serve as the foundation for a PCI UPT compliant solution, whereas solutions certified to earlier versions of the regulations will become obsolete by 2014 or earlier.
  • Consider investment protection as a key criteria when selecting a solution to allay the expense involved in replacing or upgrading existing payment terminals.
  • Factor in how the new payment solution will fit into overall business goals and five to ten year roadmap.
  • Look for a solution that is compatible with the existing POS system.
  • Make certain the solution meets both the logical and physical stipulations of PCI compliance. It must be TDES-DUKPT encryption-capable, include tamper responsive defense mechanisms for PCI EPP compliance and provide unauthorized device removal protection for PCI UPT compliance.
  • Find a solution that offers data encryption across multiple vulnerability points.

The Opportunity of PCI Compliance
PCI compliance offers significant opportunities for retailers and distributors. Not only will businesses be able to offer increased security for their customers and avoid the high cost of a security breach, they also will have a chance to upgrade their forecourt technology and implement new ways to increase profit margins, including in-store sales.

Meet The Author
Tim Weston is product manager, payment technologies, at Dresser Wayne headquartered in Austin, Texas, and on the Web at www.dresserwayne.com.
  Top of Article  

   Current Issue   |   Past Issues   |   Search   |   Contact Us   |   Send Files    |   Advertising   |   www.pei.org

The PEI Journal • Third Quarter 2008 • Volume 2, No. 3 • Contents are Copyright © Data Key Communications, Inc.
All rights reserved. • Nothing may be reproduced in whole or part without written permission of the publisher.