Now that credit and debit transactions account for more than 80 percent of retail fuel sales, petroleum marketers have no choice but to comply with payment card industry security standards.
“It’s probably number 11 on the top ten list of marketers’ important issues,” said Bob Renkes, executive vice president of the Tulsa-based Petroleum Equipment Institute , “but it should be number-one.”
In September 2006, a coalition of credit card companies formed the Payment Card Industry Security Standards Council in an effort to combat fraud. Now all merchants who accept payment card transactions must comply with the Payment Card Industry Data Security Standard or pay hefty fines. Yet even the glossary of terms that marketers should be up on—EPP, PED, TDES, and more—is intimidating.
“Retailers need to know the current requirements and how standards may change in the future,” said Renkes, whose Tulsa-based organization represents 1,600 petroleum equipment manufacturers, distributors and service providers. For example, since Jan. 1, 2008, all newly manufactured debit card processing terminals must incorporate PIN entry devices that have been certified by PCI-approved laboratories. By next January, newly installed fuel pumps that accept debit cards must feature PCI-compliant encrypted PIN pads and manufacturers must start installing key pads capable of implementing a new Triple Data Encryption Standard, which requires data be encoded multiple times through an encrypted PIN pad.
By July 1, 2009, TDES will be mandated for all debit transactions. A year later, on June 30, 2010, all fuel dispensers must be capable of encrypting PINs according to the Triple Data Encryption Standard. Then by July 1, 2010, pumps that process debit transactions must be upgraded with encrypted PIN pads. By the same date, attended PIN entry devices (that is, indoor POS payment terminals) must be certified as PCI-compliant. The devices must also process all debit transactions using TDES.
Along with its PCI-DSS, the PCI council has also promulgated a PA-DSS or Payment Application Data Security Standard. The group’s goal is to “help software vendors and others develop secure payment applications that do not store prohibited data . . . and ensure their payment applications support compliance with the PCI DSS.” Thus, by July 1, 2010 merchants adhere to Payment Application Best Practices and use only PABP-compliant applications.
The upshot of all this alphabet soup is PCI compliance will mean a financial investment. For that reason, fuel retailers must carefully assess their situations, consider their options and plan for the future.
“The first regulation you need to know is the PCI-DSS,” said Scott McDowell, the North American marketing manager for payment products at Gilbarco Veeder-Root, a petroleum equipment manufacturer based in Greensboro, N.C. The PCI-DSS governs data handling and networking.
Achieving compliance “could require changes to your site hardware and transaction infrastructure,” said McDowell. While companies that annually process more than 1 million transactions were required to comply with the PCI-DSS by Dec. 31, 2007, smaller merchants have until the end of 2008.
After familiarizing themselves with the PCI-DSS, fuel retailers must bone up next on the PA-DSS, or Payment Application Data Security Standard. The requirements chiefly apply to point-of-sale (POS) hardware. “Your devices must be certified by an approved laboratory as being compliant with the PA-DSS. That means meeting a lot of regulations which involve many pages of technical specs,” said McDowell. “Check the PCI Web site to help make sure an application is compliant. If it isn't, then you’ll have to upgrade.”
Then there are PEDs (PIN entry devices) and EPPs (encrypted PIN pads) to consider. “PCI PED,” said McDowell, is “the standard for attended PIN pads and terminals,” while the “PCI EPP” applies to “unattended hardware such as fuel dispensers, kiosks and ATMs.”
Gilbarco has developed multiple solutions to meet the differing needs of petroleum marketers. Its most economical option, the FlexPay EPP, does not require changes to existing point-of-sale hardware or wiring. The FlexPay Secure Card Reader (SCR) helps protect against credit card fraud and supports TDES. And FlexPay CRIND (card reader in dispenser) includes both an SCR and an encrypted PIN pad. The unit can be retrofitted to Gilbarco dispensers made as far back as 1991, as well as retrofitted to other manufacturers' dispensers, without changing the POS hardware or wiring.
“We’ve gone back to the earliest of legacy dispensers to accommodate as many installs as possible,” said McDowell. “We’ve made the design backwards-compatible to just a simple PIN pad upgrade. That decreases the investment needed. Being PCI-compliant doesn’t mean you must have a CRIND enhancement. If you compare a simple PIN pad upgrade to installing a card reader, you're looking at a savings of $15,000 just in hardware costs—not to mention saving about five hours of labor at $60 to $70 an hour.”
While an economical retrofit might be the best option for some retailers, others may discover that upgrading their dispensers can make sense for reasons other than security. “New pumps give a fresh look for the forecourt and allow retailers to rebrand,” McDowell said. “The technical, diagnostic and security improvements make your operation more efficient and accurate, which is important when gas is $4 a gallon. And the in-pump media applications are an added marketing benefit.”
Lower maintenance costs and reduced downtimes for new dispensers, as compared to older equipment, will partially offset their upfront cost. “The decision to retrofit or upgrade will vary from site to site,” McDowell said. “But the PCI deadlines are fast approaching. You'll save money if you don’t wait to the last minute.”
To outfit all the fuel dispensers that need new PIN pads by July 1, 2010, Gilbarco estimates that manufacturers must produce a combined 2,200 pads per day. Manufacturers say they can keep up with the demand, but there is no guarantee that there will be enough installers to go around if everyone waits until the eleventh hour.
“Although production might be keeping up, the important factor is whether they can get them all out in the field in time,” said Renkes. “If everyone waited to the last minute, there's no way installers could process them all. First the product has to be manufactured, and then put on a distributor’s shelf, and then delivered and installed. All of those steps require time. We had the same situation when underground storage tanks had to be upgraded or replaced in 1998. Contractors were in short supply then. So will enough service people be around when the PCI deadline gets closer?”
According to Renkes, retailers should start by asking questions. “You can begin by looking at your business plan and asking yourself: Do I have money now to upgrade? Will I have it later? Should I consider spend a little now and spread out the installs over several months? Are there sites I might sell in the near future? Which sites can I be sure that I'll keep? If I don't take debit transactions now, do I plan to do so in the future?” The next set of questions, he said, should go to your equipment distributor, “What are my options? And are the prices for the products better now than they will be later?”
Thieves Without Masks
Dresser Wayne, another leading petroleum equipment manufacturer based in Austin, Texas, has also developed solutions to help petroleum marketers be PCI-compliant. “The most important thing is to maintain compliance for PIN-based debit transactions as they continue to evolve,” said product manager Tim Weston. “Make sure the products you install are compliant with the second-version EPP (encrypted PIN pad) standards.”
As Weston explained, “The latest version of the EPP requirements is the foundation for the coming round of UPT (unattended payment terminal) regulations. Any PIN pad on a UPT that’s noncompliant will have to be replaced.”
In early 2009 Dresser Wayne plans to introduce its iX Pay Secure Payment Solution. The solution will be offered as an option for new Ovation iX and Vista fuel dispensers, as a retrofit kit for legacy Dresser Wayne dispensers and selected third party dispensers, and for upgrading Tokheim Premier dispensers. “If you’re going to make the investment, then make sure it meets the most current regulations,” Weston added, “and that it's upgradeable as future regulations come out.”
Though the date for new equipment to be PCI-compliant is expected to hold firm, Weston said, “There is a question about how quickly any retrofits to existing equipment will need to be done. We should know by the end of 2008 if the dates for retrofits get adjusted. But whatever happens, you'll be given a certain window to do the installs. Plan your purchasing accordingly so that you can spread out the expense.”
The key is to stay in the know. “The majors and the larger independents are generally aware of PCI requirements, because they have more direct communications with the credit card
companies and processors,” Weston said. “But for the smaller mom-and-pop retailers, awareness is low and that's unfortunate.”
At Verifone, a leading processor based in Clearwater, Fla., marketing vice president Jeff Wakefield said his company has a history of helping petroleum retailers leverage the latest payment solutions. “When pay-at-the-pump came along,” he said, “there were no security standards. At the time, the biggest concern with credit card fraud was stolen carbon copies. So as a vendor we saw the security problems for pay-at-the-pump and brought the technology, which we owned for interior payment terminals, out to the fuel island.”
Today's problems with credit card fraud, Wakefield explained, stem from the fact that “the 900,000 pumps in the U.S. all have a lock and a place to insert the key. But most keys are the same, and there a lot of keys floating around out there. It’s fairly easy to get a key, open the door, and install a bug to the components, which are connected by ribbon cables.”
The bugs can then store customer information, which the thieves can retrieve later by reopening the dispenser or via wireless access. “The typical larger service station’s night clerk probably won't pay too much attention to what’s happening at the pumps, and it only takes a minute to open up the dispenser and put in a bug.” To combat fraud, however, last November VeriFone unveiled Secure PumpPay as its PCI-approved solution.
Wakefield said the fines for noncompliance should worry petroleum retailers, but it shouldn’t be their only concern. Losing valuable customer information would be a public relations nightmare for any marketer.
“In smaller communities where people tend to visit the local gas station, and that station is owned by a local retailer who is part of the community,” Wakefield said, “losing credit card information through lax security could jeopardize relationships with local customers and significantly impact the retailer and the business.”
In fact, U.S. fuel retailers in general face more security challenges than their counterparts around the world. “Criminals are going to the U.S. where retailers are bigger and there's more data to steal and profit from,” he said. “Also, European gas stations are much smaller and have good data security standards. And of course, in many countries customers still don’t pump their own gas.”
The bottom line for retailers is that PCI compliance is all about protecting their brands and their customers. “To do that, you need to put in a complete solution that meets PCI and TDES requirements,” Wakefield said. “Although TDES doesn’t stop fraud at the pump, it’s almost impossible to decipher a PIN that’s been encrypted three times.”
Although existing PCI requirements might be fine-tuned, especially for larger retailers, he advised, “Don’t wait to get compliant. If you’re a retailer, you need to assume you’re under attack by thieves. Incidents have increased dramatically over the last quarter. Before, criminals had to enter your store with a gun. Now they can just pretend to pump gas and then stick a skimmer inside to hack into data. They’re not just dumb guys wearing masks.”
Photo courtesy Gilbarco Veeder-Root