The Green Sheet Online Edition
April 14, 2008 • Issue 08:04:01
Tick tock: Time to comply with PCI
I ordered a countdown clock for CardWare International's home page in March 2008. The tool will tick away hours remaining until July 1, 2010 - the deadline for compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) PIN entry device (PED) security mandate.
I don't think this action is premature or melodramatic (both have been alleged). What I do think is that we, as ISOs and merchant level salespeople, will suffer if we do not act on this soon.
It won't be Y2K, but there will be similarities to the chaos, confusion and dollars wasted. The difference is that turmoil is completely avoidable this time. Getting in PCI compliance sooner rather than later isn't difficult or costly. But that won't be true for long.
Get the gear
A primary PCI DSS mandate requires that all PIN PED equipment be compliant with new security standards by July 1, 2010. This will necessitate relocation of many machines and the decommissioning of noncompliant devices.
There are three parts to consider when completing the puzzle of compliance. First, noncompliant units have not been manufactured for several years, but there are many still in use. They must be replaced. So, the first action would be to keep on the lookout for older machines.
The second part is in regard to Visa Inc. PEDs, as there is an ongoing debate on how long these units are able to remain in service.
Some sources close to the issue say the deadline is late 2010 and others say these machines can be used "indefinitely" as long as they continue to function. Remanufacturing these items to make them compliant isn't viable or cost effective.
The third piece of the puzzle is PCI PEDs. These are units manufactured with the highest security provisions. As of January 2008, only PCI PED units were authorized for deployment. Unless, of course, you had inventory for older equipment. Then, the "race period" became a grace period - for a while, anyway.
The current priority is to get a determination from the PCI Security Standards Council (SSC) as to whether Visa PEDs must be replaced, can be used indefinitely, or if those with internal PIN pads can be converted to terminal-only operations with encryptions removed and external PCI PED PIN pads attached to them.
Ready your PIN pads
That popular middle ground of Visa PED is where the unanswered questions reside. But regardless, three things are certain: There will be deadlines; there are requirements; and the reality of a massive crunch will intensify as the date draws closer.
The reasons for this inevitable PIN pad doomsday are:
- Time: Substantial hours are required to encrypt and deploy PCI PEDs and to retrieve noncompliant units from service.
- Supply: As the compliance deadline approaches, it is unclear whether or how manufacturers will satisfy the demand for new units.
The card Associations and the PCI SSC expect that between now and 2010, Visa PEDs will fail as a matter of course and will be replaced with PIN PED units.
However, a PIN pad doesn't experience wear and tear like a terminal or printer, and its propensity for failure is less predictable. To expect all Visa PEDs slated for replacement by 2010 to malfunction before the deadline expires is unrealistic.
Units with internal PIN pads could get a second life with the addition of external PIN pads. This is assuming that those handling the transition know when you plug an external device into the terminal, you have to make sure it does not have power or it blows the encryption.
The wholesale cost for this is $45 to $75 per unit, depending on the quantity ordered by the end user. Retail, it's $75 to $125 per unit plus shipping, encryption of the PIN pad and destruction of the noncompliant device.
Seek and destroy
Particularly in these uncertain economic times, no manufacturer can afford to produce products in advance of an unknown, uncertain future demand. There is no way to determine how many of the nonsecure devices remain in use, and how many Visa PEDs have been retired. If I made 12 million devices, are there 8 million in existence now? Seven million? Ten million? All I know is that I made and sold 12 million; no one today manufactures in anticipation of demand.
Concerning PCI's requirement that old equipment be destroyed, many envision black market opportunities and exporting outdated units across the Pacific Ocean. Thus, it is wise to not only remove these devices from service, but also to use serial numbers to document their destruction.
From a sales standpoint, you want your merchants to benefit from the best available processing security. This necessary upgrade is analogous to the U.S. government's move to high-definition television. The government mandated high-definition transmission to take place in 2009, and for consumers, the choices are to buy converter boxes or digital-enabled televisions. This is the equivalent of PED regulations.
It's incumbent on all of us to help bring merchants into compliance with the new standards quickly. Procrastination will cause a collision of logistics, people and products that will benefit no one.
Will merchants be eager to pay the inevitable premium for rush service - immediately prior to the winter holiday selling season to boot? Mandates aside, there are a few laws that everyone understands, one being supply and demand. We can all be proactive and avoid premium expense and uncertain supply - or not.
With a little planning, the 2010 requirements can be met simultaneously with Discover Financial Services' opt-in/opt-out requirement (deadline is December 2008) and American Express Co.'s reprogramming requirement due to the elimination of split dial electronic draft capture (deadline is June 2008). That is the smartest, most cost effective strategy.
Keeping up with all of the requirements will also shield your merchants from equipment supply issues, unnecessary distractions during seasonal selling peaks and the headaches brought on when the grace period truly does turn into a scramble for compliance - and there is no turning back.
Biff Matthews is President of Thirteen Inc., the parent company of CardWare International, based in Heath, Ohio. He is one of 12 founding members of the Electronic Transactions Association, serving on its board, advisory board and committees. Call him at 740-522-2150 or e-mail him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.