Five years ago, many major oil companies were supporting up to 20 different legacy point-of-sale (POS) systems. The situation was untenable from the majors’ point of view and presented problems for the payment card industry that was concerned about its liability for data security. The majors needed to rationalize the platforms they supported and introduce new POS features such as loyalty programs that would boost their brands, while card issuers and processors needed a robust response to the growing incidence of fraud and identity theft.
Not surprisingly, the outcome was fourfold: establish a standard-setting body (the Payment Card Industry Security Standards Council), formulate industry standards for data security (the Payment Card Industry Data Security Standard and its associated subcategories), declare a timetable for phasing out legacy POS systems and encourage development of new-generation platforms that meet the standards.
For makers of POS platforms for the petroleum industry this process has been ongoing for a decade. Gilbarco Veeder-Root introduced its Passport® POS system in 2000 as the eventual successor to its G-SITE® platform. Dresser Wayne was rolling out its Nucleus® platform by 2002. And Verifone debuted its Sapphire® solution in 2003. “We saw it coming,” said Verifone vice president Dan Yienger.
The process has been beneficial for the payment card industry by enhancing data security, beneficial for the majors by rationalizing and upgrading the POS platforms they support, and beneficial for equipment manufacturers by stimulating a market for next-generation solutions.
But is there a benefit for petroleum retailers who must ultimately pay to upgrade or replace their old POS systems?
That question has gained added urgency as July 1, 2010, is the next major deadline in the industry-mandated conversion process. Four important milestones apply:
· All POS systems that process, store, or transmit cardholder data—both credit and debit—must comply with payment card industry (PCI) standards.
· All personal identification number entry devices (PEDs) that have never been approved under PCI standards must be removed from the market.
· If data from a non-approved PIN entry device is breached then the acquiring bank and the merchant are liable.
· All existing or newly installed fuel dispensers must actively use Triple Data Encryption Security (TDES) with PCI-certified hardware or liability for any data breach passes to the acquiring bank and the merchant.
Thus an important benefit to retailers for installing PCI-compliant POS systems is avoiding potentially costly fines and liabilities. Toward that end, the Payment Card Industry Security Standards Council (PCI SSC) and major POS system providers have developed an array of online tools to help merchants make sense of the alphabet-soup (see sidebar) terms they should know.
PCI SSC has published an online PCI Compliance Guide, and Verifone offers an interactive PCI PED Tool Kit , while Gilbarco sponsors the Web site AskAboutPCI.com. Petroleum retailers can also consult with Qualified Security Assessors from the list posted at PCICompliance.com.
If the terminology (see sidebar) and deadlines seem like a blur, providers of POS systems are striving to make conversion as easy and seamless as possible for retailers—while adding new features and functionality that can save costs and boost income.
At Gilbarco, POS marketing manager Amy Wilson explained, “By isolating the PCI system requirements from the POS functions, we help retailers retain those features and functions that help them compete and become more profitable while still allowing for future changes required by the standards.” Upgrading from G-SITE to Passport is simplified by the fact that only the dispenser hub—and not the pump control box, distribution box, firmware or wiring—must be updated.
New and upgraded features of Passport include a touch-screen interface; fuel discounting by card type, car wash, cash or fuel grade, as well as cumulative discounting; an improved security camera interface; seamless standardization across all POS networks, including direct control of both Gilbarco and Dresser Wayne fuel dispensers and customer terminals; and extraction tools that permit retailers to register settings and store information, and transfer these data between multiple locations and oil brands. In addition, said Wilson, “A number of third-party POS interface partners are already certified with Passport.”
Wilson pointed to a common misconception among retailers, “It’s important to know that PCI compliance isn’t just about debit. POS systems process sensitive information for both credit and debit. Many of our customers think that if they just shut off debit transactions, that’s enough. But both types of data must be secured.”
Similarly, systems product manager Tom Chittenden of Dresser Wayne said, “In the last three years we’ve continued to make significant developments and upgrades in our Nucleus platform, adding features that make it easier for retailers, especially smaller chains, to conduct business. And we’ve made it easy as possible to install and use.”
The Nucleus system incorporates a new interface to Dresser Wayne’s Fusion™ Forecourt System, Chittenden continued, “so that you can manage your points of sales together with your overall business. You have remote access and control across multiple sites, allowing you to efficiently perform management and configuration tasks simultaneously in several locations.” Though PCI compliance deadlines may be driving retailers’ decisions to upgrade, he encourages them to see the big picture. “It’s not just about POS software,” he said. “Your POS system must also talk to other key onsite operations such as the dispensers and tank gauges.”
At the same time, Chittenden added, Nucleus offers “robust discounting and merchandising ability that lets you automatically roll back the pump price of fuel when a consumer is taking advantage of an offer. The set-up even gives you the ability to stack discounts.”
These features suggest how, said Chittenden, the upcoming deadlines for PCI compliance provide afford “a good time for retailers to generally evaluate what they have and what’s on the market. Does your current technology limit you? Now is an opportunity to look at all your options.”
VeriFone has taken a different approach to PCI compliance by retaining its Ruby® platform and introducing the Sapphire® add-on. “We’re on our fifth generation of Ruby, the central processing unit we developed 18 years ago,” said director of marketing Michael Tyler. Sapphire brings current-generation Ruby platforms into compliance with PCI standards, while Ruby itself has “been enhanced by adding more memory and ports, so that it’s capable of handling additional devices such as car wash controllers,” he said.
A chief advantage of VeriFone’s strategy, continued Tyler, is that “instead of having to scrap your previous POS investment you can use Sapphire to leverage your investment because it works on the same Ruby platform. We designed Sapphire so that your Ruby hardware stays the same and you just reload the software. So you just add Sapphire to Ruby and meet the PCI requirements.”
Upfront costs are quickly recouped because the upgrade implements touch-screen technology, adds bandwidth for managing more peripherals and boosts customer loyalty by making it easier to institute fuel discounts and combination discounts.
Touch-screen capacity is a major advance over keyboard-based POS devices because, said Tyler, “the number of keys gives a physical limitation to the number of items that can be represented. But touch-screens can have multi-layered menus.” Retailers can more easily engage in daypart marketing, speed up transactions and increase accuracy.
Another key benefit to upgrading, continued Tyler, “is replacing a POS system that merely gets data with one that gathers information and then uses logic to draw conclusions.” Thus, in addition to tracking sales a new-generation POS system might aid retailers by identifying items with slow turnover that are taking up valuable shelf space.
Providers of POS platforms for the petroleum industry have designed their products for ease of installation and training so that systems can quickly get up and running. But while they can guarantee that product is available, they cannot guarantee—especially as the July 1 deadline nears—that equipment installers will also be available on a timely basis.
# # #
Here’s a glossary of acronyms found in the literature on compliance with payment card industry data security standards:
ISO: Independent Sales Organization
PABP: Payment Application Best Practices
PA-DSS: Payment Application Data Security Standard
PCI: Payment Card Industry
PCI SSC: Payment Card Industry Security Standards Council
PED: PIN Entry Device
PIN: Personal Identification Number
POS: Point of Sale
QSA: Qualified Security Advisor
SDES: Single Data Encryption Standard
TDES: Triple Data Encryption Standard