PCI – Payment Card Industry
Understand the differences between DSS, PED, and EPP as well as the mandates associated with each. The standards are built to have a consistency of security and provide the retailer the ability to provide protection for consumers as well.
MORE FROM THIS EXPERT
- Preparing your company and customers for PCI Compliance
- Interlink Merchants Must Use TDES at the POS by July 2010
- PCI & Payment Security webinar wrap-up
- VISA - Congressional Hearing Presentation
COMMENT POLICY
-
Before you comment, please read our comment policy.
Subscribe to this author
This blog is extremely valuable - there is a lot of confusion about regulatory requirements out ther e- what a great step to clearing that up
Wow! This site is great! We’ve been considering ways our company can inform our customers about PCI compliance. This site is all they’ll need! It far surpasses any efforts- albeit sincere- we’ve attempted!
You’ve presented the Who, What, When, Why and Hows in a sharp, user-friendly format that will undoubtedly help retailers understand the nuts and bolts of PCI compliance. GVR products will allow the retailer to accomplish compliance in the most cost-effective, sensible way possible.
The “El Monte” news video you’ve posted is so eye-opening and will help the retailer better-understand the need for attention to compliance. The bottom line: to protect the consumer is to protect your livelihood!
Thanks for your efforts!
Sign me a proud GVR distributor!
Terry
I feel like I’ve got a handle on what’s needed to attain PCI-Compliance at the dispenser, but what about the POS?
I understand G-Site will never be PCI-Compliant; so when does it have to be changed out with another POS?
Thanks!
Terry,
Gilbarco® G-SITE® point of sale system has been one of the most popular and successful products in our industry for more than 20 years. With more than 40,000 sites installed, G-SITE revolutionized retail automation as one of the first PC-based point of sale systems designed for fuel retailers. We thank you and all our customers for making G-SITE such a success for so many years.
The Payment Application Best Practices (PABP) sets forth requirements that must be met by merchants who process on the VISA network. Click here to see a chart showing the critical dates:
As these dates outline, a merchant has a window in which to transition to compliant systems.
Looking forward please note several observations. First, we are pleased that the market has rapidly adopted our newer Passport® point of sale system. Passport’s ability to meet new and emerging PABP and other Payment Card Industry (PCI) requirements on all major networks makes it an excellent choice for today and tomorrow. Its use of open platforms means faster development as well as richer features and interfaces.
G-SITE was built on a closed legacy architecture that is unable to meet PCI requirements and best practices that our customers will want to observe. G-SITE is not and can not meet PABP/PCI compliant requirements. The architecture of the system, while safe, does not permit the data encryption, password schemes, and other features required under VISA mandates. Because G-SITE is already certified on all networks, the general deadline that is most important to our customers is July 1, 2010. Visa mandates list July 1, 2010 as the date in which all networks must use PAPB-compliant applications, meaning GSITE must be removed by this date. Most networks however have already announced migration plans and G-SITE removal dates that may or may not match with Visa mandated dates. You should contact your specific network provider to confirm if this date is valid for you site (s).
Do you have to change out your G-Site to passport to have it PCI compliant or is it PCI for the pump only. Thanks.
You will need to migrate your G-SITE application to Passport for PCI compliance. PCI is a group of standards that cover all aspects of site systems security.
PCI-PED (PCI-PIN Entry Device) standards define how pin pads both inside and outside in the dispenser must work to ensure maximum security. Triple-DES encryption PIN pads in the dispenser falls into this set of mandates.
PCI-DSS (PCI-Data Security Standards) standards define how store payment devices must work. POS and any other payment devices must meet PCI—DSS mandates. PCI-DSS states that all non-compliant applications must be removed from the credit network by 7/1/2010.
Per previous announcements G-SITE is technically unable to feasibly meet PCI-DSS mandates and has been designated end of life. Sales of new G-SITES end 12/31/2008, support of installed devices end 12/31/2011.
Does the PCI standard affect credit tra nsactions at the pump or inside at the pinpad? A PCI QSA told me that it does and referred me to this passage “Does PCI DSS apply to debit cards, debit payments, and debit systems?
“Any payment card (credit, debit, prepaid, stored value, gift or chip) bearing the logo of one of the PCI Security Standards Council’s five founding payment brands is required to be protected as prescribed by the PCI DSS.” Other people told me that turning off debit at the pump would leave me PCI compliant w a Passport or Ruby system. Could I get some clarification please?
Tivis:
It is true that both credit and debit transactions are subject to PCI mandates. In fact (as you stated below), any payment card bearing the logo of one the PCI’s Security Council’s five founding brands is governed by PCI standards. It is important that this is clearly understood.
However, PCI PED (PIN entry device) and PCI EPP (encrypting PIN pad) security requirements state that a keypad replacement is only required for debit transactions. No other major hardware modifications are required at the fuel dispenser or inside at the POS. This assumes, of course, that your POS is PCI-compliant.
Under the right circumstances, it’s possible to be PCI-compliant by simply shutting debit off at the dispenser. This configuration requires that the POS is capable of shutting off debit at the dispenser while running debit inside the sore. It also requires that the network accepts debit + credit inside and credit only outside. This will be difficult to work, but it may be possible.
When answering the “should I purchase EPPs?” question, keep in mind that when a customer shuts debit off at the dispenser, a higher transaction fee will be realized for the use of credit. This adds up quickly; in most cases, it exceeds the cost of upgrading to EPPs within a couple of years. This analysis should be performed for every customer to determine the payoff period of PCI-compliant debit transactions.
Thanks for the great questions. Feel free to let me know if you have further issues….
-greg
Can you give any “specific” example of P.O.S. confugurations that will not work with the current PCI requirments, particuarly with Gilbarco EPP retrofit kits. I get at least one inquiry a day from customers and I feel like I’m not getting the specifics to relay to them. For example, if a station currently has a G-Site (pre 1/1/04) will he have to completely overhaul his G-Site in favor of a Passpot to facilitate these EPP retrofit kits?
Hi,
Thanks for this excellent blog.
Could you please clarify whether the following scenario supports the PCI requirements?
- A mobile phone payment application encrypts (using AES) and stores the PAN + expiration date on the device but does NOT store the CVV.
- The key used to encrypt these data is a PIN that the application requires the user to create; user needs to enter this PIN each time he/she wants to do a transaction or edit his/her payment info
- The application never displays the full PAN (only the last 4 digits) when users want to modify their payment info or need to select the card to use for a transaction.
- To do a payment transaction the user is then 1) required to enter the PIN they had to create 2) enter the CVV. The card information are sent to a PCI compliant payment processor over SSL.
Hope this is clear enough.
Thanks much in advance,
Ben