Are You Secure?
The inconvenient truth about data security and PCI compliance.
The friendly technician working on your pump may be a fake.
After installing a wireless skimming device, he’ll shed his neon-orange vest, drive across the street and begin downloading credit-card numbers from your site, your PCI-compliant site. This isn’t hype. It’s very real.
For many, July 1 isn’t just prep time for the annual Independence Day barbecue. It’ll be an ominous deadline for thousands of convenience operators, large and small, to comply with the Visa-backed payment card industry, known as PCI, data-security standards.
When all is said and done, the c-store channel will have ponied up well over $100 million. And while forecourts and backcourts will be more secure, vulnerabilities abound. Just take that technician, for example. While PCI compliance for fuel dispensers does protect personal identification number or PIN-based transactions, the same cannot be said for magnetic-stripe credit cards.
This reality—that security is a costly, lifelong investment with ambiguous returns—is dawning on scores of cashstrapped operators. Interviews with more than two dozen technology experts, vendors and retailers show a swirl of confusion around the highstakes world of security.
No one doubts the serious dangers posed by increasingly sophisticated hackers. In recent years, such high-tech thieves have successfully tapped into payment systems run by some of the country’s most prominent retailers. At the same time, many convenience merchants, citing their relative small stature, question the prohibitive cost of upgrading systems against what they consider a highly unlikely attack.
Take Scott Matherly, IT vice president for Rogers Petroleum, a 20-store chain based in Morristown, Tenn. The company is spending $500,000 to $600,000 in upgrades, including $18,000 to $22,000 for a point-of-sale (POS) system. “And,” Matherly quickly points out, “that’s not recoverable. There’s just no return, and this is just phase one.”
Matherly, like many who have taken the plunge, knows the rules will eventually address fake pump techs. That’s the comforting, and at the same time costly, truth about PCI: It will change. “Credit-card data is under constant threat,” according to statements from the Wakefield, Mass.-based PCI Security Standards Council, the entity formed by the five major credit-card companies to develop and issue the rules. “So businesses must ensure that their safeguards are also under constant vigilance, monitoring and, where necessary, ongoing improvement.”
What began in 2004 with the major credit cards launching a global effort to curb identity theft has now reached the far perimeters of the c-store channel, causing strain and havoc on many fronts:
At the store level, the July 1 deadline has forced the largest mandated overhaul of equipment since the underground- storage-tank regulations of the early 1990s, involving thousands of POS registers, PIN pads and, in the next two years, payment terminals in hundreds of thousands of dispensers.
Besides the millions already spent in upgrades, retailers will spend millions more in training, IT expertise and future upgrades to maintain security.
Costs are forcing a new purge of locations where volumes won’t justify the new expense.
On the other side of the issue, c-stores are among the slowest retail segments to respond. Thieves looking for points of least resistance may find a playground here. The shifting rules make those who write equipment checks nervous, and rightly so. Case in point: the global migration to chip-based payment technology (see sidebar on p. 50). If forced upon retailers in the United States, it would mean yet another round of dispenser upgrades for a totally different type of payment mechanism. Though certainly not a near-term issue considering the investment all channels of retail would have to make, it illustrates the shifting dynamic of life after the current round of PCI.
With that scenario in mind, PCI for this fragmented channel is really two stories. A large block of retailers has much of the core PCI work done, but for many, the hell of 2010 compliance has barely begun. Possibly one-quarter of the more than 140,000 station operators have yet to open their wallets, resisting any investment out of defiance, frustration, lack of funds and/or ignorance—even after years of education from associations, manufacturer-user conferences and major-oil dog-and-pony shows.
As one high-volume, single-store retailer out of St. Louis admits, under condition of anonymity, “We don’t know bull [explicative] about it.”
Levels of compliance may reflect company size and resources that come with scale. Many observers believe the bulk of those in danger are single-store and smallchain operators. Regardless, several critical ambiguities are common and continue to baffle everyone from momand- pops to the chains with more than 500 stores. Among the major concerns:
- Are the deadlines going to hold? San Francisco-based Visa Inc. relaxed enforcement of fines for in-pump PIN pads, pushing real deadlines in the minds of many to Aug. 1, 2012, and sparking questions as to what is actually expected July 1.
- Who’s responsible? Liability for a breach will ultimately fall to whoever signed the merchant agreement, experts say. But for many, especially smaller operators, denial is a comfortable blanket. Litigation may also rope in the entire supply chain, including jobbers, franchisors and major oils. In addition, clarity over who actually covers what aspects of PCI remains a mystery, with retailers wanting the supplier community to be more definitive about what areas they will take responsibility for.
- What will liability mean? Last year, the average cost of a breach on a single customer was $202 (up from $197 in 2008), according to Traverse City, Mich.-based Ponemon Institute. But what fine amounts the associations, banks and processors will levy and what retailers will ultimately be responsible for remain vague. “We enforce compliance with the acquirer,” says Jennifer Fischer, head of U.S. payment systems risk for Visa. “In terms of further liability from acquirer to merchant or [jobber] down to a dealer, it’s determined by those parties.”
- Availability of compliant product. Insufficient lead time for development, network-processor delays and other issues mean that some manufacturers may not have deployable, PCI-compliant product available in time for the July 1 deadline.
- Are retailers truly covered? Remote access, loyalty programs, wireless applications and the use of thirdparty providers can open vulnerabilities in retailers’ computer and communication systems. Can retailers ensure their future technology expansions won’t compromise customer data?
- Compliance doesn’t eliminate risk or liability.Again, the idea of life beyond compliance stands as the next challenge. Current rules don’t cover everything needed to prevent an on-site breach and only hint at the procedure development, training and continual spot-checking retailers must execute on a regular basis.
“It’s important for a company to have a multilayered approach and not think that any one [set of standards] is going to be a solution,” says Fischer, who says PCI mandates don’t focus on skimming but do address the issue with best practices.
“It’s a big, confusing mess,” says fivestore operator Justin Alford, co-owner of Benny’s Car Wash, Baton Rouge, La. “I don’t think anyone really knows what being PCI compliant is.” YOU’RE NOT ALONE
In whatever extreme or limbo retailers find themselves, in just a matter of weeks, these PCI rules, backed largely by Visa but supported by all the big credit-card companies, will force operators to swap out noncompliant POS registers; review and potentially revamp store-communication networks; and, as one supplier strongly suggests, give someone the fulltime job of building and sustaining a culture of information security.
Retailers find themselves facing standards because technology at the store, including some POS and ATM systems, expanded rapidly and were largely unregulated, says James Stroud, vice president of program management for Lexington, Ky.-based EchoSat Communications, a supplier of secure data-communications networks. These systems, he says, were extremely vulnerable, with “default software, default-system configurations, and even default passwords. And in most cases, there was no way of monitoring or managing the devices in the field once they were deployed.”
Just how many retailers will be noncompliant on July 1 is difficult to answer on a couple of fronts. First, due to circumstances ranging from equipment availability to installation backlogs, many simply won’t be able to make compliance by that date. But most sources believe that if a retailer can demonstrate activity toward compliance and show a written plan, then the scrutiny will pass on to others. (Indeed, as CSP went to press, it learned Visa had issued such a notice to vendors.)
For instance, Dale Williams, director of operations and IT for Walters-Dimmick Petroleum Inc., Marshall, Mich., says all 82 of his company’s sites are compliant, with the exception of the PCI software upgrades that its supplier is scheduled to come out with this spring.
Second, no single body is calculating the number of complaint sites. However, oil companies have been working toward network compliance, and two that have been taking an active stance on education and incentives believe their networks to be in the range of 55% to 75% compliance.
Among the oil companies, Houstonbased Shell Oil Products U.S. seems to have provided the most attractive incentive package. Scott Taylor, wholesale technology adviser for Shell, says incentives included a penny-a-gallon reimbursement, with no cap for two years, if retailers got the job done before July 1.
As a result, three-fourths of Shell’s 14,000-site network (about 10,500) is PCI compliant.
For San Ramon, Calif.-based Chevron USA Inc., dispensers were already compliant, so the issue was POS and in-store PIN pads. Ann Seki, PCI program manager for Chevron, says more than half of its network was finished by the first quarter of this year. The company has about 7,500 sites in North America.
Trinette Huber, manager of information and pricing for Sinclair Oil Co., Salt Lake City, says 55%, or 1,100 out of 2,000 sites, have achieved compliance as of early spring—a strong number, she believes. Huber projects the company’s true compliance number at 68%, based on companies completing upgrades. “It’s a lengthy process,” she says. “The industry is being asked to make major changes.”
Exacerbating delays and retailer reluctance is something quite distressing even to PCI’s biggest advocates: ambiguity. Truth is, much of the language surrounding this mandate is vague and open to interpretation.
John Dounoucos, product manager of payment systems for Gilbarco Veeder- Root, Greensboro, N.C., points to the word “liable,” saying, “On July 1, 2010, liability shifts to [the retailer], but ‘liability’ is not defined. If the money in a checking account gets cleared, do I have to replace it? What liability is makes for conjecture.”
“I can’t find any attorney that really knows PCI to give us good advice, and that’s disconcerting,” says Lance Odermat, general counsel for Seattle-based Car Wash Enterprises Inc., which operates 46 Brown Bear and Bubble Machine locations. “I’ve done a cursory search for what the potential legal ramifications will be if you’re not compliant, and I’m finding there’s a huge gray area.”
What is not gray is the top-down, pass-the-buck approach in which the smallest players may have the most to lose. Visa is shifting enforcement down to acquiring banks and processors. In turn, the financial institutions are pushing Visa’s mandates to the wholesaler and ultimately the merchant.
“It all flows downhill,” says Michael Tyler, marketing director for VeriFone Inc., Clearwater, Fla. The murky language is a cause for concern. One Midwest retailer, who spoke on condition of anonymity, believes jobbers who push liability down to the dealer may have a rude awakening if they are operating credit transac- tions on behalf of the dealer. But the number of jobbers who hold the merchant identification number for a dealer is rare, according to Rick Dakin, co-founder and president of Coalfire Systems Inc., Louisville, Colo., an IT audit and compliance-management firm. Though speaking not as a legal adviser, he says his company has participated in related litigation as an expert witness and thus offers a strong warning.
“For [dealers and retailers] who think they can hide behind a jobber or major oil company, think again,” Dakin says. “The forensic accountants will go to the one store, one operator, one merchant agreement and start assessing liability. It is 100% whoever signs the merchant agreement who will be liable for fraudulent transaction or data loss.”
While Shell’s own proprietary cardprocessing network will enforce penalties brought on by a breach, Tyler says the company will act only in response to a bank’s request, passing on any fines or action directly from the bank to the merchant.
That pass-through of consequences may be significant. Visa says a bank that fails to make an immediate notification can get hit with a $100,000 fine per incident. Any breach from a merchant or provider that is not compliant can mean a $500,000 fine per incident. Fines of this magnitude may pass down to the merchant.
“We do have fine amounts that our rules allow us [to levy] but we have not set a specific [amount] for this program,” says Fischer of Visa, softening the rhetoric. “Not to assess fines is a goal here.” So how much in fines a retailer will ultimately face is anyone’s guess, and negotiation and other legal remedies may mitigate the initial number. Either way, some precedent exists.
In a presentation on data security, Gray Taylor, a card-payment contractor for NACS, spoke of a small restaurant in Broussard, La., that experienced a breach. The cost for the forensic work to determine where the breach occurred was $17,000; a $30,000 fraud was negotiated down to $20,000; and Visa assessed a $5,000 fine, while MasterCard waived a $100,000 fine. The total: $44,000, or $66 per card, that the owner was responsible for.
Dakin of Coalfire says he receives at least a call a week from a c-store or restaurant owner, who typically reports taking a hit of $50,000 to $80,000 in fraudulent charges and credit-card fines. “There’s a lot more to [return on investment] than people think,” says Tim Weston, product manager of payment technologies for Dresser Wayne, Austin, Texas. “There’s fines, cost of reimbursement to banks, the loss of brand value and litigation defenses.”
TAKING A TOLL
With regards to PCI, equipment costs can range widely depending on what is needed to be compliant. Gilbarco’s G-Site, an industry workhorse, is one POS that the company has said it will not upgrade to compliance. The purchase of its replacement, a Gilbarco Passport, starts at about $14,000.
Another pervasive POS device is the VeriFone Ruby, which retailers can upgrade with a $5,000 to $6,000 Sapphire addition.
PCI-compliant PIN pads can range from $100 to $300, while a single dispenser can cost $800 to $2,000 to upgrade. Matherly of Rogers Petroleum, who comes from an IT background, says things generally seem off: “If I had to buy a $20,000 server, it could walk on water. And we’re getting charged $20,000 for a system that runs one store?”
“This has caused us to sit back and take a look where we have register changes and say, ‘Is this a site where it’s worth it for us to stay in the fuel business?’ ” says Steve Palmer, CFO of Car Wash Enterprises. “In one case we had a low-volume fuel site and we did not do the upgrade.”
Though Palmer did not elaborate on what he intends to do with the store, considerations include halting the acceptance of credit cards at the site or paring it from the store portfolio.
Bruce Butler, owner and operator of Bridgeport Avenue Shell, Shelton, Conn., a single store in an affluent neighborhood, says his options were to spend at least $7,000 to $9,000 to do just the card readers or almost $17,000 (per dispenser) for all-new pumps. His total will be $70,000. In addition, his site will be down for two days to change equipment, with the installation of new soft- ware to take another six hours.
“So I put this off for as long as I can,” he says. “That business loss—you never get it back.” Ultimately, Butler says he doesn’t have a choice, but he looks at the bright side. In addition to new equipment, which should increase the value of his business, the Shell incentive money and a 2009 tax-code change allows for 100% depreciation, according to his accountant.
“For the most part, this is what I call defensive capital,” Butler says. “I’m not expecting a big return on the investment; I have to do this to stay in the game.”
“Security really has to be a shared responsibility; people handling [card data] should have the proper [measures] in place,” says Fischer of Visa. “We try to balance the needs of clients, merchants, banks and card holders, but ultimately we need to make sure we have effective data security and, in some instances, that means having standards and compliance requirements for merchants.”
With about two months until the July 1 deadline, suppliers have predicted a rush on equipment and installation orders that may push the system to its limits. A distributor for suppliers such as Gilbarco, Raymond Eiser, vice president of sales and partner with Reliable Oil Equipment Inc., Dayton, Ohio, says he has been seeing an increase in business, not so much in dispenser upgrades where the rules have relaxed, but with in-store POS installations.
For VeriFone, lead times for products were running six to eight weeks, with installations in most instances seeing two- to four-week delays, Tyler says.
“Our industry chose not to react in a timely manner,” and the procrastination may have created a domino effect on supply, he says. “VeriFone is not going to place orders, even if the forecast is artificially low.”
Weston of Wayne says, “The volume of equipment shipping is taxing the supply chain; we ship as fast as we can, but we’re continually challenged by the volume of those who wait.” In addition to mom-and-pops just now getting into the ordering cycle, Weston says a number of 300- to 400- store chains are in the middle of rollouts.
What complicates matters is that for some suppliers, PCI-compliant product has yet to come out. At press time, updated versions of POS software from Gilbarco were scheduled for April, with a couple of processing-network versions set for a June release.
Specs for PCI compliance came out in October 2008, leaving a very narrow window of development compared to typical R&D time periods, according to Amy Wilson, POS marketing manager for Gilbarco.
VeriFone’s Tyler says part of the holdup comes from oil company networks that have opted to include additional functionality, in one case a loyalty package, which has delayed specs for compliance to those networks. “They wanted to enhance the [package] with loyalty, but instead of waiting for the next release of software, they’re choosing to put it in now,” he says.
WHERE RISK LIES
Responding to PCI compliance is also about managing cost. That’s why many retailers are evaluating their options at the dispenser. With four to eight dispensers at any typical site, upgrade costs could run into the thousands or mean new pumps altogether. Therefore, many retailers are opting to keep dispensers that are currently compliant (those running single data-encryption standard, or single-DES processes, vs. triple- DES) or opting to stop accepting PIN debit at the pump.
And while some say retailers should evaluate the potential loss of customers due to limited payment methods at the fuel island, priorities toward compliance inside the store may be accurately placed.
In 2009, 75% to 80% of breaches occurred at software-based POS systems, according to research firm Trustwave, Chicago. A large majority of those systems are managed by thirdparty entities.
“[Retailers] are at the mercy of vendors and are having to trust what they tell [them],” says James Kelly, Gilbarco’s product manager, security and compliance.
To safeguard against this pitfall, Denise Lewis, retail solutions manager for POS for The Pinnacle Corp., Arlington, Texas, suggests asking vendors for their implementation- guidance document. “Just by virtue of that document existing, retailers will be reasonably sure that vendors have gone through the proper audits,” she says.
With regards to dispensers and skimmers hacking into customer data, NACS officials say the risk is relatively low, especially compared to situations where the customer loses sight of the card while an employee leaves to swipe it. Hacking at a gas station is a “highrisk, low-yield proposition,” according to consultant Taylor.
That said, the risk to petroleum-retail and c-store operators is growing, according to Bob Carr, chairman and CEO of Heartland Payment Systems Inc., Princeton, N.J. “Criminals are like water,” he says. “They go to the lowest level, the easiest place to go.”
In 2008, hackers using malware sniffers, or programs designed to infiltrate systems and divert data, breached Heartland, costing the company $129 million. But Carr says the company has emerged stronger and regained the confidence of its employees and customer base. As the rest of the world converts to what he says is the higher-security route of chip-and-PIN cards, America and its less-secure payment systems will come under attack. Tyler of Shell agrees, saying that larger companies have learned from breaches and are locking down tighter than ever, leaving passive retailers vulnerable. (See p. 46 for what cashiers and managers need to know about spotting data thieves.) “The big guys were frightened by breaches,” Tyler says. “Now the criminal community is going down-market.”
LIFE AFTER COMPLIANCE
For retailers feeling forced into compliance, moving toward a sense of control may mean accepting the inevitable. “It’s a moving target,” says Craig Teiken, vice president of merchant product management for First Data Corp., Atlanta. Technologies such as replacing card data with random numbers (a process called “tokenization”) are quickly moving onto the scene, he says. “Once you achieve it, it’s not done. It becomes a way of life.”
And that lifestyle has little to do with PCI standards. “Hackers are not going to target stuff that’s in the [PCI] standard,” says James Hervey, senior manager, product marketing, for Radiant Systems Inc., Alpharetta, Ga., pointing out that criminals are always thinking of new ways to break in. “Once [retailers] get hit with that [new strategy], then it gets into the standard.”
Bradley Cyprus, senior security architect for Vendor Safe Technologies, Houston, says, “PCI is not a checklist,” even though retailers have to answer a standard questionnaire to prove compliance. “[The questionnaire] is an indication of a point in time,” he says. “It does not mean that [you’re compliant] 30 seconds later.”
He says a good score one day is a snapshot and doesn’t mean a “free pass” until the next year. “That is the biggest mistake with security,” he says. “It’s about diligence and addressing ongoing concerns. Did you do something today that makes all the work you did yesterday irrelevant?”
What Retailers Need to Know to Win:
Networks that link the Internet to data.
POS devices that store data.
Pumps that cashier’s can’t see.
Update vendor-supported software.
Lock down remote access.
Do a secure, data wipe.
Train staff on data security.
Malware: They sneak into systems and divert data.
Card-swipe skimmers: They look like part of real swipes.
Key: The same key unlocks 90% of dispensers.
Hidden camera: Cameras can hide in fake brochure holders.
Google: A tool to get the 411 on targeted companies.
Major Oil Networks
The Friendly Pump Tech: A skimmer in disguise?
The Mob: Organized crime is ramping up activity.
Fake IT caller: A caller saying he’s with IT asking for passwords.
Hacker: He seeks out unsecured retailers.
Dude in the car: He’s downloading data from a wireless skimmer.
What to Watch Out For
Staff trained to spot suspicious behavior may actually catch a thief. Here are some tips and strategies for increasing data security:
- Watch for fake technicians. Have a procedure in place so staff can confirm a site visit, and never let an unauthorized person open a dispenser.
- Change dispenser locks. A common brass key can open 90% of all dispenser doors. Change the lock to prevent easy access.
- Place serial stickers on pumps. Then follow up by making sure they are not damaged—a sign that someone has broken into the pump.
- Watch out for cars that return multiple times during a single day. These may be criminals installing and removing skimming devices.
- Separate Internet and transaction networks. Keeping lines separate can prevent a hacker from accessing cardholder data.
Sources: NACS, Vendor Safe Technologies
Glossary of abbreviations:
DUKPT: Derived unique key per transaction
PA-DSS: Payment application data security standard
PCI DSS: Payment card industry data security standard
QSA: Qualified security assessor
SAQ: Self-assessment questionnaire
Single DES: Single data encryption standard
Triple DES: Triple data encryption standard
UPT: Unattended payment terminal
Chip Cards: Fly in the Ointment
The global movement toward what’s known as “chip and PIN (personal identification number)” cards, which use a computer chip to store data instead of a magnetic stripe, may rework the payment landscape yet again.
Currently taking hold in Canada, the technology is making its way to the United States, says Tim Weston, product manager of payment technologies for Dresser Wayne, Austin, Texas. “We know standards are going to evolve because thieves continue to evolve,” he says. “We have to stay as flexible as possible to embrace changes in security going forward.”
The timeline may be five to 10 years, according Bob Carr, chairman and CEO of Heartland Payment Systems Inc., Princeton, N.J. “It takes a long time for stakeholders [to change],” he says. “It was eight years ago that chip-and-PIN first [hit] Canada, and things are just now changing.”
Note to Jobbers: Think ‘Healthy’ for Dealers
Achieving a 55% compliance rate in about a year is a victory for Trinette Huber, manager of information and pricing for Sinclair Oil Co. in Salt Lake City. For many chains supplying dealers, communication has been an ongoing battle. Here are a few of Huber’s tips:
Simplify. Her team reviewed the PCI assessment questions and divided them into three areas—software, policies and procedures, and networks— with retailers least at risk being separated out quickly.
Provide incentives. Sinclair offered retailers financial assistance if they were ever fined.
Walk them through. Huber and her team follow up with retailers, asking questions and assisting them through the process