Welcome to Gilbarco’s Payment Security Blogsite
The purpose of this site is to provide information surrounding mandates around PCI compliance. So please, take a look around, give us input, and we’ll make sure we address your questions.
MORE FROM THIS EXPERT
- Preparing your company and customers for PCI Compliance
- Interlink Merchants Must Use TDES at the POS by July 2010
- PCI & Payment Security webinar wrap-up
- VISA - Congressional Hearing Presentation
COMMENT POLICY
-
Before you comment, please read our comment policy.
Subscribe to this author
What is the basic information around getting PCI compliant at the pump?
Site was launched this week at NACS Tech, where petroleum retailers attended three education tracks on PCI. The content that was reviewed covered PCI 101 (basics), Acheiving PCI Compliance? (process to comply), Above and beyond compliance (retailers perspective on meeting compliance).
Experts from this site participated and lead all three of these sessions, and can answer your questions about PCI. Post a question and get a respoonse from one of our industry experts on PCI compliance.
The basics for PCI mandates focus on debit transactions only. The new requirements state that a ceritified PCI Encrypting PIN Pad (EPP) should be installed on any new dispenser deployments after Jan 1, 2009, and all existing pumps need an EPP retrofit by July 1, 2010.
According to Visa and PCI, there is no mandate for full CRIND replacement or security. It is a PIN Pad replacement only…
Retailers are evaluating the enhanced security products that protect the card data as well with this change. Be sure to find a card reader product that protects using encryption and physical security.
Does PCI compliance at the CRIND apply to debit transactions ONLY or both debit and credit transactions?
Butch: PCI compliance at the CRIND only applies to debit. The PCI requirement is to replace your current membrane PIN Pad with a certified PCI EPP (encrypting pin pad). This PIN Pad must be protected physically from breach and capable of communication in TDES encryption.
There are future mandates called PCI UPT (unattended payment terminal), which should be approved this year. This regulation only applies to new dispensers, and requires no retrofits into existing dispensers. If this regulation is approved as written today, it will require PIN Pads, Secure Card Readers, and Secure screen prompting in new dispensers. This is not approved, and only applies to new dispenser purchases.
I stumbled upon a site that was told by one of our competitors that they are required to get EPP done to their existing dispensers; but because the site has Gilbarco B78 and B7C dispensers, they were told the EPP would not work with this type of dispenser, so the site would have to purchase brand new dispensers in the next year with the UPT. This is very costly for the site. Is it true that the EPP won’t work with the B78 and B7C dispensers?
Gilbarco is offering an EPP solution for 1991 Advantage dispensers and eariler. This includes kits for Eclipse, Advantage, Encore 300, Encore 500, Encore 500s.
Dispensers that were made prior to this year, we recommend the FlexPay CRIND product or a new PCI compliant dispenser purchase. These products can be found on the Gilbarco corporate website at http://www.gilbarco.com, or you can contact your local Gilbarco representative or distributor.
If you are not taking debit at the pump do the card readers need to be update to meet pci compliance.
Does wright express and the cards that require a pin mean the card readers needs to be updated.
Hi,
Can somone please answer the question below that was asked by Michelle on July 14th, 2008? I am about to purchase some used Gilbarco B78 and I woud like to know if CPI comliance is an issue?
Thanks
I stumbled upon a site that was told by one of our competitors that they are required to get EPP done to their existing dispensers; but because the site has Gilbarco B78 and B7C dispensers, they were told the EPP would not work with this type of dispenser, so the site would have to purchase brand new dispensers in the next year with the UPT. This is very costly for the site. Is it true that the EPP won’t work with the B78 and B7C dispensers?
PCI compliance is not an issue for either of these dispensers.
The B78 is a narrow-frame Advantage series 3+0 selectable blender; the B7C is a wideframe Advantage 3+1 selectable blender. For both of these models, Gilbarco has developed FlexPay EPP retrofit kits that are now available for full PCI compliance.
I need a enterprise software solution to secure storage credit cards. It would need to have multiple user accounts and granular permission levels. Please recommend a solution.
Hello Joshua.
I wish there was a quick and simple, “one size fits all” solution for PCI DSS Compliance, but there isn’t.
The PCI standards are aimed at protecting credit card data for its entire life as it is passed from the merchant to the acquirer and on to the credit card companies and the issuing banks. There is a lot of detailed security, policy and process requirements wrapped up in these standards, but keep in mind that it’s all about credit card data.
If you absolutely MUST keep card data, it’s unlikely that a single technology solution will ensure full PCI DSS compliance. The breadth of territory that PCI covers includes such things as physical and logical access controls, policies and procedures, change management, documentation and more.
So, if you don’t NEED to store any credit card data, DON’T! The fewer systems that touch credit card data, the smaller your scope.
Hope that this helps.
Folks at W. Capra Consulting Group
Joshua,
After years of experience dealing with systems management and communications, some things are rather clear. Issues such as store systems security require a centralized approach to managing store systems. There are enterprise solutions designed for mid-size retail chains that will allow you to securely manage the data and the applications on the machines at the stores. Indeed, you should not store card data in your systems. Having said that, you should have a process to verify that you are not storing card data and have a way to ensure that none of this data is leaking out of your systems. Protecting data ‘in-flight’ and data ‘at rest’ are both important. Our assertion is that one should protect the whole store and in a multi-store operation, centralized management and centralized logging are critical. This is most certainly possible today - whether you have 10 stores or a 1000 stores - at a reasonalble cost - yes with multiple permission levels.
How do you become a PCI installer?
(A) The PCI Council provides for QSAs (Qualified Security Assessors), PA-QSAs (Payment Application Qualified Security Assessors), and ASVs (Approved Scanning Vendors). Information on each of these positions can be found on the PCI Security Standards Council website (www.pcisecuritystandards.org). There is no specific position, certification, or training available to become a PCI Installer. Each payment application vendor must produce a PA-DSS Implementation Guide that provides details on how to install and operate the payment application in a compliant manner. As long as the implementation guide is followed, the payment application should be installed in a compliant manner.
Thanks,
James
We are an inbound call center that takes catalog orders. We take orders for many different companies. When prospecting new customers, is it permissible under PCI to have prospective customers listen to live calls of other customers that may contain credit card information including cardholder demographic and CVV information?
Brian - In response to your question:
PCI-DSS requirement 7 requires that all access to cardholder data be controlled on a “business need to know” basis. Since prospective customers have no specific need to know the cardholder information, without some way to screen out the cardholder data portions of the calls you would be in violation of several of the sub-points in requirement 7. There are technologies available that allow for filtering of audio or time-delay of audio that may be suitable for use in your environment, which might allow you to meet PCI-DSS requirement 7.
Thanks,
James
When we upgrade to the passport system does that eliminate the ICR, and make the credit cards go thru the Crinds unit?
Scott:
Thanks for your question on http://www.AskAboutPCI.com. I’ve consulted with our internal POS team, who gave the following response to your question:
I take it that this customer has GasBoy at this time. If they are converting to Passport, we do not use the Island Card Reader. Everthing will go through the CRIND. If they are a Cenex location on NBS, we will process all standard network transactions through the CRIND communicating to NBS.
I hope this helps. If you have further questions, please don’t hesitate to ask.
Thanks,
-greg
We have a client that has Gilbarco G-Site versio n 42.0.84. We are setting them up with First Data. First Data said that that version was non-compliant. What version of Gilbarco G-Site would they need to upgrade to to be compliant? Will they ultimately have to upgrade to Passport?
Brian,
The G-SITE system will never be PCI compliant, which is why it was annocunced as end-of-life on Dec 31, 2008. The best recommendation for your client is an upgrade to a PCI compliant POS device, such as the Passport POS. Find out more about the PCI regulations and compliant devices at https://www.pcisecuritystandards.org/.
Pin Based Debit cards - Cards that require a pin be entered in order for the transaction to get authorization. Transaction total is taken directly out of Checking account. Subject to lower interchange fees because it is a secure transaction with a pin.
Signature based Debit cards - Cards that usually say debit on them but are processed like a standard credit card and no pin is required unless you choose debit instead of credit. Transaction amount gets taken directly out of Checking account. Subject to higher interchange fees because it can be processed without a pin.
Standard Credit card - Mastercard, Visa, Discover…etc. - Cards that don’t require a pin and can be swiped at the pump with no proof of identification. Least secure transaction, highest interchange fee.
I see questions about having to upgrade the CRIND if you are not taking pin based debit at the pump. It seems that no upgrade is required at the CRIND. So, you would be able to take signature based debit cards processed like standard credit cards at the pump and also standard credit cards…correct??
The question I have is; if you don’t upgrade at the CRIND, and continue to take signature based debit cards and standard credit cards at the pump, will the Credit card network charge astronomical interchange fee’s? Enough to make it worth upgrading at the CRIND????
The Gasboy Island Card Reader can not be made PCI compliant. Is that for pin based debit only situation or is it the same as the CRIND? Can the ICR be used for signature based debit cards and standard credit cards, or does the Gasboy ICR have to be removed entirely from the system?
The customer needs to know what equipment they can they can keep and what the consequences are.
Scott:
Good to hear that you understand the difference between signature debit and PIN-debit. Unfortunately, many merchants are unaware of the difference and the interchange rates are significantly different. So much so, in fact, that many merchants are losing thousands of dollars anually because they aren’t asking for PIN numbers.
With that being said, PCI requires that PIN numbers are encrypted, not the card data itself. The signature debit transaction is essentially a credit transaction, reconciled periodically to a bank account. The rates are higher because the threat of compromise is higher and the credit transaction is substantially less secure.
Regarding payoff, a typical site ($20 avg. fuel transaction, 100k gallons/month) with only 15% debit usage will see payoff in 11 months for a PCI upgrade. Of course, we highly recommend that merchants run this analysis for each site, but the end result is usually the same. PIN debit will pay for itself.
Please drop your Gilbarco sales representative a line if you have specific questions about configurations.
I hope this helps.
Thanks,
-greg