The Green Sheet Online Edition
December 08, 2008 • Issue 08:12:01
Gear up now for PCI PED compliance
Ralph Waldo Emerson said, "This time, like all times, is a very good one - if we but know what to do with it." As we run out the clock on 2008, I suggest that one important thing we should do with our time is prepare to meet the Payment Card Industry (PCI) PIN Entry Device (PED) deadline of July 1, 2010, now just 18 months away.
While a year and a half may seem like ample lead time to attain compliance, in reality it is very short in light of PCI PED's far-reaching operational demands.
Regardless of where you are in the process of PCI PED implementation, important background issues need to be addressed - who is responsible for the cost being chief among them. Do ISOs pay the costs of getting their merchants compliant or does that responsibility fall on merchants? Obviously, this issue is inextricably linked with merchant retention.
Other issues include the broad sales decline registered in the fourth quarter of 2008, when many businesses generate most or all of their profits for the year.
In November 2008, the U.S. Commerce Department reported U.S. retail sales had fallen a record 2.8 percent in October, far worse than the 2 percent economists had predicted. Notably, sales declines were broad, across types of merchandise (building supplies, appliances, furniture) and types of businesses (department stores, discounters and so forth).
The well-being of financial institutions and ISOs is also in play, as both types of service providers feel the effects of an economy that seems to have lost its footing.
One at a time
In regard to the first issue, I have no advice, other than to warn ISOs to weigh wisely the "who pays" decision, as there are pros and cons on both sides, and the best answer will vary from company to company. If ISOs are not yet pursuing PCI PED implementation, they may be shut out of the game entirely. They need to get busy. In the meantime, here's an update of the two deadlines:
- July 1, 2010 - The date when a complete phaseout of noncompliant PEDs that are stand-alone PIN pads is mandated. In addition, some early integrated devices with internal PIN pads must be eliminated.
- Dec. 31, 2014 - The sunset date established by Visa Inc. for Visa PED devices; after this, all PEDs in the field must be PCI certified.
So, what are the operational requirements for the initial deadline, 18 months from now? And what needs to happen first?
The first step is to identify merchants with noncompliant PEDs. Financial institutions and ISOs that have begun the upgrading process report this is a daunting task that includes determining who has what PEDs, who is noncompliant, who has received swap-outs with Visa PEDs and so forth. In a perfect world, records would tell us these things. In the real world, record keeping is sketchy at best.
Step two is determining the fate of noncompliant devices discarded by merchants. Will they be returned for verified destruction, hopefully in an eco-friendly manner? Next, if merchants bear the cost burdens of compliance, the manner in which billing is handled must also be determined; processes and procedures must also be developed.
Simultaneously with these steps, a previously determined quantity of compliant PCI PEDs, or a quantity of integrated devices with internal PIN pads, must be obtained or on order. Once they arrive, each device must go through the time-consuming encryption and testing process - made even longer by the new triple DES or 3D algorithmic standard.
Then, the problem of integrated units with internal PIN pads needs to be addressed. One approach is to add an external PCI PED, disabling the internal device. This, according to Visa, is permitted because an integrated device with a disabled PIN pad falls outside the PCI PED requirements.
If an integrated device with a noncompliant internal PIN pad is being replaced with an integrated device with a compliant PIN pad, an additional and separate step of programming and testing follows.
Once encrypted and/or programmed and tested, the PEDs will then be deployed in a systematic fashion with the expectation that the majority of merchants will follow directions. The terminal must be powered down before installing the PIN pad. Doing otherwise causes a blowout of the encryption.
ISOs constructing pricing models for meeting the PCI PED deadline should build in 12 percent to 15 percent for reworking merchants' systems and addressing a number of nonreturns on blown PCI PEDs.
The perfect storm
A factor not often considered is that encryption standards require considerable infrastructure for computers, encryption hardware and software, and secure facilities, as well as trained and certified personnel to monitor and maintain the newly compliant systems. Encryption service organization (ESO) and PCI requirements do not permit you or I to pull people off the street, give them five minutes of training and throw them into an unsecured warehouse to encrypt PIN pads.
As a certified ESO, CardWare International predicts that at the 11th hour - a few months before the deadline - two factors will collide to create the perfect PCI PED storm. Those factors are insufficient time and manpower and a lack of availability of PCI PEDs.
Let's examine PCI PED from the perspective of a credible, successful manufacturer. Would that manufacturer commit resources to producing and stockpiling PCI PEDs in anticipation of a need that could not be quantified? The answer, of course, is no.
Similarly, when it comes to manpower, no ESO or processor keeps highly-trained personnel on the payroll with the expectation of what might happen with a particular PCI PED project.
Head in the sand
Experience indicates the vast majority of financial institutions, ISOs and merchants will procrastinate and expect the deadline of PCI PED to just go away. Or they believe the deadline will pass without any consequences, similar to the nonevent of Y2K.
By virtue of the security environment in which the payments industry operates, regulatory tendencies are likely to continue to tighten.
But there is no reasonable chance that PCI PED will be anything but the game changer it was engineered to be.
So, when crunch time comes, where will you and your merchants be in terms of compliance? And, equally important, at what cost?
My take is that now, not next month or next quarter, is the time to implement PCI PED upgrades to get merchants in compliance - and out of the woods - by July 2010.
It is true, as Thomas Paine so wisely pointed out, that time makes more converts than reason. But when time is on your side, the economics are as well. And that may be the most compelling argument of all.
Biff Matthews is President of Thirteen Inc., the parent company of CardWare International, based in Heath, Ohio. He is one of 12 founding members of the Electronic Transactions Association, serving on its board, advisory board and committees. Call him at 740-522-2150, or e-mail him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.