PCI Compliance Workshop NACS PEI October 21, 2009 10:45 a.m. 11:45 a.m.
Presenters Scott McDowell, Director of Marketing, Dispenser Applications, Gilbarco Veeder-Root Mike Tyler, Director of Marketing, Petroleum Division, VeriFone, Inc. Tim Weston, Product Manager, Payment Technologies, Dresser Wayne
Agenda Overview of Payment Card Industry (PCI) Requirements Payment Terminal Standards and Retailer Options Fuel Dispenser Standards and Retailer Options POS System Standards and Retailer Options Implementing PCI A Customer s Perspective Dresser Wayne Solutions Gilbarco Veeder-Root Solutions VeriFone Solutions Audience Q & A for Panelists 3
Overview of Payment Card Industry (PCI) Standards Mike Tyler Director of Marketing, Petroleum Division VeriFone, Inc.
Payment Card Industry Security Standards Council Covers PIN Entry Devices at the pump and in the check-out lane PA-DSS applies to software vendors who develop payment applications that store, process, or transmit cardholder data PCI DSS applies to any business that stores, processes, and/or transmits cardholder data
Payment Security Deadlines Secure the forecourt with Encryption at Pump 1 2 3 January 1, 2009 New dispensers July 1, 2010 Existing dispensers Upgrade to PCI PED PIN Pads & TDES July 1, 2010 VISA PED or PCI PED approved Pin Pads and TDES from end to end Update Payment Software to PA-DSS October 1, 2008 New Stores July 1, 2010 All Stores July 2008 Oct 2008 Jan 2009 April 2009 July 2009 Oct 2009 Jan 2010 June 2010 July 2010
Payment Terminal Standards and Retailer Options
Payment Terminal Compliance Timeline 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Unapproved Devices Can t support TDES 156-bit encryption keys 6/30/2010 Sunset Date VISA PED Devices OK to use if you have them installed already 12/31/2014 Sunset Date PCI PED 1.x Devices Tamper Resistance improves security significantly PCI PED 2.x Devices Upgrade PIN Pads TDES Encryption IMPACT: Time your replacement cycles to take advantage of newer terminals with improved security standards. Replace Visa PED in 2013.
Fuel Dispenser Standards and Retailer Options Tim Weston Product Manager of Payment Technologies Dresser Wayne
Payment Security at the Dispenser PCI security standard currently applies to all fuel dispensers that accept PIN debit transactions Requires encryption when PIN information is entered Must use PCI certified Encrypting PIN Pad capable of Triple-DES encryption Triple-DES encryption keys required to be fully compliant Retailers assume risk if using Single-DES encryption after July 2010 PIN encryption must be done within the keypad Dispenser upgrade procedures vary by vendor Keypads, electronics, displays, bezel panels, etc.
Fuel Dispenser Compliance Timeline Visa mandating that all PIN accepting fuel dispensers comply with PCI EPP standards to support Triple-DES migration. 2008 2009 2010 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 2011 Q1 Q2 New Dispensers Newly deployed dispensers must contain TDES-capable PCI-certified EPP keypad All Dispensers All dispenser keypads actively use TDES encryption on PCI-certified EPP keypads TDES/PCI Approved Keypads in New Dispensers Upgrade Existing Equipment to TDES/PCI TDES PIN Encryption Required (to maintain liability protection) Liability Shift to Retailer for continued use of 1DES DUKPT
Choices for Retailers What options do retailers have? Upgrade dispensers with PCI Encrypting PIN Pads Install new TDES-capable PCI compliant fuel dispensers Require PIN debit customers to pay in store Do nothing now and stop accepting PIN debit as of July 1, 2010 Assume risk of non-compliance / compromise liability for use of Single-DES DUKPT after the deadline Note: Your Processor or Major Oil Brand may limit your choices or influence the timing of upgrades
POS System Standards and Retailer Options Scott McDowell Director of Marketing, NA Payment Gilbarco Veeder-Root
PA DSS encompasses the complete Payment System Card Issuers Merchant Acquirers Host Servers Corporate Server Wireless Terminals Websites POS Terminals POS Terminal Software applications, infrastructure, procedures, and processes Automated Fuel Dispenser Indoor PIN Pads PCI DSS Standard PA-DSS Standard PCI PED Standard PCI EPP Standard
Payment Application Compliance Timeline Visa is implementing a series of mandates to eliminate the use of non-secure payment applications from the Visa payment system. PABP PA-DSS Applies to Purchased Software Applications 2008 2009 2010 2011 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Remove all known vulnerable applications Upgrade or remove non-compliant applications Only install PA-DSS applications for NEW sites
Don t Delay, Deadlines are Fast Approaching www.pcisecuritystandards.org Education (PCI-DSS, PA-DSS, PED, EPP) PCI Security Standards Council PCI Quick Reference Guide Self Assessment (PCI-DSS, PA-DSS) Inventory and document site infrastructure Self Assessment Questionnaire Standards Training Look at the big picture Talk to your Vendors Engage a QSA Don t wait
Implementing PCI A Customer s Perspective Dresser Wayne Solutions Gilbarco Veeder-Root Solutions VeriFone Solutions
Bobby Dutcher, President Atlanta Petroleum Equipment Company, Inc.
PCI Upgrade Prep Are we switching POS equipment brands? Do we need a new interface box? Do we need electrical outlets? Do we need Pin Pad Stands? Do we have a site configuration report? Is there a back office and scanning system present? Are the Automated Fuel Dispensers operational? APEC Site Planning Tool Do we need to change any card reader BIOS chips? Are there enough wires for communication? Are there any ADA keypads involved? Do we need to upgrade any components on existing dispensers? Do any dispensers need any new decals?
Typical Upgrade Process Prior to Site Visit Check kits to ensure they are complete and accurate Verify keypad environment variables in our lab Map keypads if needed in our lab During Site Visit Block off subject dispenser for upgrade Upgrade dispenser components Test operations in manual Put dispenser on-line and test operations Open to customers and move to next dispenser Verify all upgraded dispensers on-line and operating Changeover Timeline: One Day, Site Downtime 1 hour
Issues to Watch For Unable to put site on 3DES when only POS upgraded because: Site takes debit and AFD not upgraded yet so debit would be disabled Network not ready to accept and process 3DES encryption keys Unable to put site on 3DES when only AFD upgraded because: POS not able to accept and process 3DES encryption keys Network not ready to accept and process 3DES encryption keys Unable to put site on 3DES after POS and AFD upgraded Network not ready to accept and process 3DES encryption keys Some Brands have multiple encryption keys in operation Key Learning: Prepare ahead of time to avoid scenarios that require making multiple trips to the site
Shell Station, Atlanta Georgia Successful Site Upgrade Installation proceeded as planned Equipment updates went smoothly Dispensers experienced minimal downtime Total upgrade took less than a day Customer very satisfied with results Notable benefits from the upgrade Refreshed user interface on dispensers Latest technology components upgradeability to future requirements 3DES encryption loaded and ready for Shell switchover in the future Local site here in Vegas with similar ix Pay upgrade Green Valley Grocery Sahara & Decatur
Case Study Background Pre-Upgrade Details G-Site installations at all 68 locations in TX Mixture of Gilbarco dispensers Non-upgradeable dispensers; MPD3, Wayne Upgraded units Advantage, Encore 300, 500, and S Post-Upgrade Details Installed Passport V8.02, featuring new PCI d-hub design Replaced 30 dispensers with Encore S with FlexPay EPP Upgraded OEM retrofits for Advantage and Encore dispensers Customer expectation of 58 days to meet 12/31/09 Shell Program
Preparing for the upgrade Point of Sale Preparing the Sites for PCI Upgrade Survey and record service needs Setup equipment off-site Training and Pre-install Confirm with network Dispensers Survey and record service needs Confirm kit contents with survey checklist Organize kits by site with part numbers Key learning / Opportunities for improvement Gain buy-in from customers Review checklist with installation crew daily Timeline vs. Merchant expectations Customer expectation of 58 days vs. actual of 40 days
Completing the PCI Upgrade Upgrading POS Upgrading AFDs 1 2 Convert data & install on new POS Remove CIM Door 3 4 Install kit parts & reassemble Upgrade (if necessary) Start Up
St. Romain Oil Company, Mansura, LA St. Romain Oil Company 23 Sites across Louisiana & Texas Fuel, Convenience Retail, Made to Order Food, Fleet
Preparing for the PCI Upgrade Preparing for the Installation Developed a Strategy and Upgrade Plan well in advance Tuesdays are good conversion days Performed Site Surveys before ordering any equipment Order Equipment Early Allow 6-8 weeks for equipment to ship Have a contingency plan Simplify the Conversion Process Duplicated Site configurations and Price Book structure from previously converted stores
Key Learning s and Ways to Improve Preparing for the PCI Upgrade Take time to plan and manage the schedule carefully Designate a Project Manager Service Techs MUST be certified to install the equipment Verify that your CC network is up before upgrading the POS Beware that Debit Keys may need to be the same both inside and outside (Network host requirement) Actual Timeline vs. What We Planned Planned 23 sites over a 5-month period, took 6 months
Completing the PCI Upgrade High level activities for upgrading POS Price Book/PLU issues Planned in advance for integration of back office software and new POS system Plan for Manager & Cashier training (next shift = New System) Next day has new Report Balancing processing (office Personnel) Topaz keyboard made the transition from G-Site easy High level activities for upgrading Dispensers Equipment staging and pre-installation streamlined the upgrade Minimal out of service; Converted half of pumps at a time Color graphics on Secure PumpPAY and Shell Rewards are a big deal to customers Unexpected Benefits from the upgrade Customers thought we installed new pumps Secure PumpPAY graphics grab attention, began running made to order food specials immediately; easy to change content remotely with broadband access tool Bottom Line Smooth Installation!
Q&A Session