New Data Security Standards from Payment Card Industry (PCI)

New Data Security Standards from Payment Card Industry (PCI)
PCI Compliance is one of the latest buzz words in our industry. What is PCI? PCI is an abbreviation for Payment Card Industry. Often you see the term PCI DSS (Payment Card Industry Data Security Standards). PCI DSS is a set of technical requirements and testing methods to help ensure the safe handling of sensitive cardholder information. Visa, MasterCard, American Express, Discover Financial Services, and JCB have adopted the standards and are working to evolve additional standards and refinements to protect card holder data and reduce fraud.

The standards are mandatory and apply to all retailers including your convenience store customers. There are significant costs involved for retailers that are not compliant and then experience a system breach that compromises card holder data. The Payment Card Industry covered over $1.4 billion dollars in fraudulent card holder charges this past year. In the future, it is their intention to shift the liability of fraudulent charges and assess significant fines to the retailers whose systems are breached.

While the PCI DSS applies to all points of vulnerability within an electronic transaction system, Bennett’s primary concern is the compliance with standards for payment devices in the dispenser. If you read any of the myriad articles about PCI compliance issues, you will see dispensers referred to as AFD’s (Automated Fuel Dispensers).

Three key deadlines for compliance implementation are rapidly approaching:

December 31, 2007
Visa PED (Pre PCI) Devices cannot be sold after this date in new dispenser designs. This category includes the Everest Plus device manufactured by VeriFone and used in the Bennett Horizon2 dispenser. Failed units can be replaced on a like for like basis. There is currently no sunset date for the continued use of existing devices.

December 31, 2008
After this date, all new fuel dispensers must have PCI approved PIN entry devices (PED’s) installed.

July 1, 2010
All payment devices in fuel dispensers must support the Triple Data Encryption Standard (TDES) which is required for PCI certification and is mandatory in all automated fuel dispensers. Additionally, all “Never Approved” old terminals that were introduced before evaluations were performed must be removed from service. “Never Approved” includes the DCA credit only payment terminals in Bennett late 9000 series and Horizon1 dispensers.

Bennett’s new Pacific series fuel dispensers are equipped with a PCI compliant payment system from VeriFone® (Model OP4100 Secure PumpPAY™). Pacific dispenser will be available in the first quarter of 2008. We believe this is the only PCI approved solution that includes PCI EPP keypad, secure magnetic stripe reader, and TDES encryption that can be purchased today. We are taking orders for Pacific dispensers for 1st quarter production that includes the PCI approved card reader. VeriFone’s Secure PumpPAY also offers:
• an ATM style keypad, screen-addressable keys, and a hybrid card reader.
• built-in contactless readers supporting a variety of contactless payment schemes (one of the fastest growing payment methods worldwide).
• large 5.7 inch color display

For complete details of the VeriFone Secure PumpPAY, you can download the brochure at: http://www.verifone.com/PDF/SPP_Datasheet_08_US.pdf or http://verifone.customer.def6.com/PDF/VFIS001SecurePumpPAY
_Letter.pdf

The model of the PCI approved EPP (encrypting pin pad) used in the VeriFone OP4100 is OP 312. An approval list is available on the Visa partner network (www.partnernetwork.visa.com), use their search window and search for “PED Approval List”.