The past couple of decades could be described as the Wild West of point-of-sale (POS) systems in petroleum retailing, with over a dozen platforms being supported by the majors. With serious data security gaps becoming more apparent in the retail industry throughout the 2000s, most notably, the hacking of TJ Maxx’s customers’ credit information, the Payment Card Industry Security Standards Council has been working to ensure the safe handling of sensitive information.
PCI Compliance and the Petroleum Retailing Industry
The PCI SSC outlines the various reasons why merchants should be compliant on their website. This includes promoting trustworthiness with customers as well as boosting their reputation. The council also says that compliance has future benefits, such as being better prepared for other new regulations, having a foundation for a security strategy and generally improving IT infrastructure.
On the other hand, if there is a breach of security and payment data is compromised, it can have devastating effects to a brand and business, which can include lawsuits, insurance claims, cancelled accounts, payment card issuer fines, and government fines, according to the council.
To take steps to compliancy, the council advises businesses to contact their payment brand or acquirer for specific requirements. However, there are twelve specific descriptions of meeting compliancy, such as installing and maintaining a firewall to protect cardholder data, encrypting transmission of cardholder data across open public networks, using and updating antivirus software.
More specifically, how it impacts petroleum retailers can be broken down into three segments:
-PCI PA DSS: PCI Payment Application Data Security Standard refers to protecting the data of credit and debit in-store transactions. All stores should be compliant, as of July 1, 2010.
-PED: Stands for PIN Entry Device and refers to protecting the debit PIN. As of July 1, 2010, stores not in compliance, or retailers using PEDs not approved under PCI standards, can be found liable for not securing debit transactions in the store.
-EPP: Stands for Encryption PIN Pad and refers to protecting the debit PIN outside the store. As of July 1, 2010, all dispensers’ that accept PIN debit requires replacement of the keypad to an EPP or a payment device that includes an EPP that is capable of Triple Data Encryption Standard (TDES).
So, how is the petroleum retailing industry doing in terms of upgrading to be PCI compliant? James Hervey, on the VeriFone petroleum marketing team, said, “We’re well past the tipping point to upgrading,” even for the smaller retailers who were least likely to upgrade.
“If you would’ve asked me 18 months ago, I would’ve said we had a long way to go,” but the industry has made a lot of progress, he said, which may be due to the July 2010 PCI compliancy deadline.
According to the PCI Merchant Level Requirements for VISA, there are four levels based on transactions done per year. Radiant Systems, headquartered in Atlanta, deals mostly with Level 1 businesses, those that have more than six million transactions, and Level 2 businesses, those that have one to six million transactions.
Ernie Floyd, director of data security and compliancy at Radiant Systems, said Visa has been driving complete compliance for Level 1 and 2 businesses for the last five years. Thus, the company’s customers have reached this level of compliancy back in 2005-2006.
Floyd said Radiant’s customers have been interested in additional security controls, so the company has been doing a variety of things in that area.
“In July of last year, Radiant introduced Payment Guard MSR,” he said, which is an encrypted magnetic stripe reader that is installed within Radiant point-of-sale (POS) hardware terminals. This enables data security protection on a physical level with encryption of sensitive consumer data built into Radiant’s hardware products and decreases the likelihood that someone could manipulate the POS terminal by, for instance, putting a device in it to read the cards swiped.
“This is not a PCI requirement, but an extra layer of security in all of our terminals,” he said.
Additional security measures Radiant is offering its customers are keyed locks.
“In the petro space, our customers are going through repeated annual PCI reviews,” Floyd said. “As the QSAs (Qualified Security Assessors) are starting to understand how the fuel operations really work, they are starting to ask for the fuel controllers to be locked up.” Radiant offers the Tiger Fuel Controller, which allows dispensers, outdoor payment terminals, tank monitors, price signs, and more to be connected to a single device.
Keyed locks decrease the likelihood of someone tampering with credit card data. “QSAs are starting to look more closely at pay-at-the-pump and how the data gets into the stores,” Floyd said. “They are making sure they’re secure.” Also, Radiant has POS software appearing on the terminal that sounds off alerts if a PIN pad goes offline, which may be an indication of possible tampering.
“Most of the networks have given mandates for the retailers to meet, and the upgrade surge you saw the last couple of years has pretty much slowed down,” said Paul Kern, Wayne’s North American product manager. “Some of the retailers are still dragging their feet but a lot of them looking are to complete this year. We've had pretty good compliance with our customers because it was a software upgrade and not hardware upgrade so for them it has been relatively easy. We stay in lockstep with PCI requirements and as our upgrades come through software there is an assurance that you'll continue to keep up-to-date with the regulatory pieces regardless of your environment.”
Kern cautioned against trying to slip by on the requirements. “In general, while PCI is painful the reality is retailers are reducing the risk that they are going to get caught up in some kind of a breach and then held responsible for that,” he said. “So, by getting on board they're reducing their overall business risk.”
Gilbarco Veeder-Root, headquartered in Greensboro, N.C., offers retailers Passport®, which the company says increases performance and storage, plus, is now available with an expanded number of optional hardware upgrades. Some of these upgrades include the Gilbarco Secure High Speed Support via Cybera secure tunnel and Gilbarco Help Desk; image scanners to support mobile couponing and loyalty program; advanced touchscreen; and dispenser diagnostics and flow rates with the Wisdom™ Intelligent Device Management solution.
“Our approach is that retailers want flexibility in adapting their POS solution to the size and scope of their business,” said Andrew Robinson, director of POS at Gilbarco Veeder-Root. “Where possible, we provide this flexibility through software modules and services that allow retailers to quickly adapt their solution using their existing investment.”
The company offers several software modules that have features to enable retailers to run their business better, including enhanced reporting, enhanced store, employee management, advanced merchandising, car wash interface, enhanced card service and enhanced loyalty interface.
What makes Gilbarco’s Passport system secure is rooted in what the company calls its “breakthrough PA-DSS architecture,” which uses an enhanced dispenser hub to separate the POS from the payment data and forecourt control.
“This innovative approach removes the POS from PA-DSS scope, simplifying the retailer’s overall PCI compliance,” said Robinson.
“One thing we are really excited about today is our broad network acceptance,” said Tom Chittenden, Wayne’s global product manager. “Up until maybe the last 12 months we were not necessarily available to all of our different customer bases but now we have an offering that will serve a lot of the new applications. We have a ConocoPhillips interface now, a Valero, a Marathon interface and those are relatively new. With all our additional acceptances we can fit in with that multi-branded jobber.
“And we've been working real hard to offer a lot of different ways for retailers to merchandise basically offer specials and discounting in loyalty cards and things like that. With the price of fuel bouncing all over the place it's really important for our customers to be a black target their customers and accommodate specials in loyalty as well as target different payment types.”
VeriFone’s strategy, both in light of PCI regulations and in general, is to develop products that retailers will be able to keep at the terminal as long as possible. The company’s Ruby platform has been around for 20 years, and the company developed Sapphire to extend the life of Ruby, keeping everything PCI compliant, said Hervey. VeriFone also provides the Topaz touch screen, which uses Sapphire.
Even if retailers are compliant, there are some looming standards that might become more of an issue in the coming years. EMV, which stands for Europay, MasterCard and Visa, is a data security standard that has been adopted almost everywhere except in the U.S. It refers to the interaction between integrated circuit cards, also known as IC cards or “chip cards,” and an IC card capable POS system to authenticate credit and debit card transactions. Because of this interaction between the card and the payment device, this standard is also known as the “chip and pin.”
EMV is not widespread in the U.S., but Hervey said VeriFone believes it could be coming and is preparing by providing this as an option. “A dispenser’s life is about 10 years,” said Hervey. “That’s why our MX 760 is EMV capable.” The MX760 is VeriFone’s unattended payment hardware.
Recently, Wal-Mart purchased EMV-enabled terminals for all of its more than 4,000 U.S. stores, citing that chip and pin technology is the most secure form of payment. Moreover, just this summer, VISA announced they were pushing the migration to EMV contact and contactless chip technology in the United States, which will also bring a liability shift.
“The merchant will be liable if they accept a fraudulent card,” Floyd said. This change will happen on October 1, 2015. Fuel-selling merchants will have an additional two years, until October 1, 2017, before a liability shift takes effect for transactions generated from automated fuel dispensers.
Floyd warned, however, that having chip and pin does not mean PCI goes away. “It is fully applicable to it as well,” he said. So, in other words, if you have chip and pin, you’re not instantly PCI covered.
Another related piece of emerging technology that retailers need to keep in mind is called NFC, which stands for Near Field Communication, and refers to mobile payment.
“We’ve been told for years we’ll be able to pay with our cell phones,” Hervey said. “It’s coming.” NFC capable payment systems allows the reader to communicate with the phone, which has a chip that stores info in it, but allows communication with only trusted service providers.
“This is a very secure way to pay,” he said. Plus, the technology could spread in the market rapidly since “phones turn over very fast.”
Not only does mobile pay add ease and a certain cachet to the consumer experience, but it also offers retailers a new marketing opportunity to reach customers by providing coupons and loyalty programs on their phones.
Visa’s mobile wallet, which allows people to pay for things without using traditional cards, and Google’s phones have NFC technology, but as for right now, the availability of it is limited. However, POS providers are definitely looking to the future.
Radiant is introducing a POS terminal in the fourth quarter of this year that gives retailers a NFC capable reader option. Additionally, Floyd advised that retailers looking to get new hardware that they look for a device that can accept a NFC upgrade easily.
“Retailers looking at terminal upgrades should really be looking at a path to NFC,” Hervey said. VeriFone’s MX 760 is also NFC capable.
Ways to Pay for Upgrade
Whether a retailer is doing the bare minimum to being PCI compliant or going above and beyond, it can be a costly investment.
Depending on the retailer’s situation, Radiant provides software for retailers that may not need to physically upgrade their terminal. However, if a retailer has older technology that cannot run the software—for instance, they have non-validated software and need to run PCI compliant software, which needs more horsepower, i.e. RAM—then the hardware needs to be updated, said Radiant’s Floyd. For smaller retailers that need to do this, some special financing programs have been created to make it easier for them to invest.
Another option rather than replacing the whole POS system is the idea of encryption.
“The premise is the card data is encrypted as soon as it’s swiped and the data stays encrypted until it gets back to the bank,” explained Floyd. Merchants can look at a strategy like that, such as offered by VeriFone’s VeriShield Total Protect.
A different way for retailers to make up the investment costs is to get a new revenue stream. VeriFone’s PAYMEDIA, a product launched on the MX 760 Secure PumpPAY platform, is designed to deliver entertaining content and advertising to the customer at the gas pump while generating profits for the retailer. It has a full motion video screen that also can be retrofitted into older dispensers. The idea is while the customer pumps gas, the video content can offer news, weather and traffic, plus, show ads.
VeriFone’s media sales team has a staff of about 50 people who actively sell and market advertising to national ad buyers. Thus, the media group does the selling of ads, so it’s completely turnkey for retailers to do.
“This is a route for retailers to offset the cost of upgrading,” Hervey said. “They just get a revenue share.”
At Wayne, the upgrade path is software driven. “With Nucleus you pay for it and there is no added cost,” said Paul Kern, Wayne’s North American product manager. “You get all of the functionality without paying extra for extra items. It is built on IBM hardware specifically designed for retail environments which helps with maintenance and the life of the hardware. When PCI came up we were able to do a software upgrade instead of a hardware upgrade.”
Kern noted that Wayne does offer various specials in the marketplace to try and entice people to switch to Nucleus when they have an upgrade choice versus going with the brand that they already have. “We have offered and continue to offer some discounts into the marketplace,” he said. “Currently we are offering a trade-in discount with the competitive point-of-sale for a brand-new Nucleus.”
Things to Consider
PCI compliancy is likely not to be a one-stop shop, but an ongoing process. Hervey recommends that retailers keep themselves educated with a lot of great resources available from associations like NACS, PCATS and PMAA.
“When you say ‘PCI compliant,’ you are talking about a whole bunch of standards,” he said, which entails three general levels, PCI-DSS, which is what merchants have to adhere to; PCI-PA-DSS, which is what companies like VeriFone have to keep in compliancy with; and PCI-PED, which is what manufacturers have to look at.
Hervey said retailers should take the self-assessment on the PCI SSC website to find out what level of compliancy they need to have and then adhere to that.
Additionally, he said it’s important the retailers have an ongoing conversation with their payment systems providers and what they are doing to stay in check with PCI.
“At VeriFone, we have an annual software maintenance program,” he said, where the company recertifies its applications. Also, the company has a software download program that allows retailers to download the most recent applications from VeriFone.
Floyd echoed that with advising retailers to ask about security systems rather than assuming the products they buy have it. “Don’t just assume you’re buying something PCI compliant,” he said. Also, “retailers should be asking their acquirer what their PCI program is” and finding out what their expectations of PCI compliance are and what the acquirers want the retailers to do.
Most majors have a PCI program, but in unbranded operations, the acquirer is responsible. So the retailer needs to go back to the acquirer. “Maybe they are getting charged PCI compliance fees and they’re not taking advantage of using those services,” Floyd said.
Finally for those retailers that are undergoing the upgrade, Gilbarco’s Robinson offered some advice.
“Retailers can gain the most benefit from sophisticated POS platforms like Passport when they invest in training to fully take advantage of its performance and follow best practices in managing their business.”
Bringing the store to the fueling customer
A new partnership focuses on promoting gas island vending
This last July Vendgogh LLC, headquartered in Cary, N.C, announced a long-term partnership with VeriFone, headquartered in San Jose, Calif., aiming to put more of Vendgogh’s patented fuel island vending systems in VeriFone’s U.S. customers’ c-stores.
Vendgogh’s product, along with VeriFone’s POS solutions, allows retailers to sell cold drinks as well as gasoline at the pump with one swipe of a credit card. The move is part of VeriFone’s “forecourt forward strategy,” which involves bringing more technology to the island, VeriFone’s James Hervey said.
“For a decade, we’ve been talking about how to get the gas customer inside the store,” he continued. “But there is a certain customer who’s not coming inside.” This is a way to bring the store out to those customers on the gas islands.
The agreement builds on the previously announced integration of VeriFone’s POS solutions with Vendgogh’s gasoline island vending system.
The two companies will combine their sales and marketing efforts to drive the market development of vending at the gasoline island for thousands of VeriFone retailers.
The partnership between the two companies provides retailers with VeriFone products the opportunity to drive additional sales for their businesses, added Hervey.