Constant Vigilance

5/5/2008
Keeping up with ever-changing security standards for consumer credit card processes and the transmission and storage of consumers' personal information is one of the biggest top-of-mind issues for convenience store technology executives, according to discussions during Convenience Store News' annual CIO Roundtable, held recently in New York.

Requirements set by the Payment Card Industry (PCI) Security Standards Council, an independent body created by the five leading payment brands (American Express, Discover, JCB, MasterCard and Visa), apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. Failure to comply with these standards can result in costly surcharges, fines and a substantial increase in liability in the event of a data breach.

Retailers' fears of such a breach were underlined just a couple of weeks following the roundtable when it was reported that a computer hacker stole millions of credit card numbers from two U.S. grocery store chains owned by Belgium-based Delhaize Group, SA. -- Hannaford Bros. in New England and New York, and Sweetbay in Florida.

According to reports, nearly 2,000 cases of fraud have been linked to the breach and 4.2 million credit and debit card numbers were stolen. According to Hannaford, it became aware of unusual credit card activity on Feb. 27 and began an investigation that found that the data was illegally accessed during the credit card transaction process.

C-store retailers and technology suppliers at the roundtable repeatedly cited an earlier breach at TJX Cos. that was disclosed last year, in which data from somewhere between 45 million and 90 million credit and debit cards were stolen by hackers over an 18-month period.

Retailers at the roundtable said they are constantly challenged to keep up with PCI compliance. "Keeping it all straight, figuring out which data really matter and what parts are most important" requires constant vigilance, said the CIO of one large c-store chain.

Chris Truesdell, CIO of QuikTrip Corp., agreed. "Our biggest problem is that although there is a standard audit process, we're still relying on an external entity and the rules are changing constantly." Truesdell listed PCI compliance as among his top four concerns, along with data warehousing, motor fuel accounting and energy management.

PCI compliance and protecting consumers' data is "top of mind for all projects that impact our wide-area network," said James Maxey, director of development and maintenance for Valero Retail Holdings. When the San Antonio-based retailer was considering installing Gilbarco's smart media (a system for providing promotions, advertising and coupons at the fuel dispenser) at its pumps, one of the company's information technology department's greatest efforts was understanding the data traffic that would be entering its system, according to Maxey.

Another tech executive gave an example of why PCI compliance is a challenge. "Last week, a marketing person wanted to put a lot of kiosks in the store and put them on our network. I had to say no. It's really an education issue for the industry."

Adding to the complexity is that retailers have to achieve different levels of successively stricter standards as they do more credit/debit card business.

"March 31 is the deadline for our company to be fully compliant with PCI standards as a Level 1 merchant," pointed out Jenny Bullard, CIO of Flash Foods. All of the technology executives said their companies were compliant with PCI standards and most agreed that the auditing process is a good practice for the retailers to undergo, although there was some annoyance that the credit card companies don't communicate directly with them.

"You never get anything from the credit card companies saying you are compliant," Truesdell noted. "You only hear from the credit card processor."

Educating everyone in the organization -- from central office to store level -- about the importance of PCI compliance is a continuing issue for the industry. Maxey of Valero pointed out that several sessions at the upcoming NACStech conference in Dallas are aimed at simplifying PCI compliance for retailers.

"It's not just about keeping the 14 people in your department up to speed," said the CIO of a large chain. "It's also about communicating those changing standards throughout your organization -- especially with the turnover we have in this industry."

PCI education is needed to an even greater degree by single store owners. "Single store operators don't have an idea what PCI is all about," one retailer said. "They think they can rely on their oil company brands but, in reality, they are the ones who are responsible."

Roger Tripp, product and development manager for CHS Inc., which markets petroleum products to 1,600 retail sites under the Cenex brand, concurred. "We may be a Level 1 merchant but our gas station owners are at Level 4. If they are in breach of PCI standards, what do we do? Cut them off? We have to go out there and educate, educate, educate."

Ironically, smaller retailers are punished for doing more credit card business. "Sometimes we have to say to a retailer, 'Congratulations. You've just become a Level 2 merchant.' Then, we have the distinct pleasure of having to tell them they now have to spend $80,000 to become compliant with Level 2 standards," Tripp said.

The penalties for noncompliance can be stiff. "One retailer I know has been fined $1 million by a credit card company for breaching its standards," one participant said. Another said his company was fined $100,000 for not being able to locate two data tapes from a decade ago.

Truesdell brought up another potentially major cog in PCI compliance. By 2010, all keypads at fuel dispensers must be replaced with more secure raised number keys to thwart theft of customers' PIN numbers. Most of the retailers felt that this is an unrealistic goal.

"I don't see how anyone can suggest that we can be PCI compliant by the 2010 deadline," one retailer said. "There's not a chance in hell you could produce enough hardware to install everywhere by 2010."
X
This ad will auto-close in 10 seconds