Petrogram - Spring 2010 - (Page 28)
FEATURE Crind and Bear It Jim Fish There seems to be a lot of confusion regarding CRIND devices, TDES, looming deadlines and the potential business impact. In this article, I will attempt to address these issues. PIN-based versus signature-based debit cards First, it is important to understand the diﬀerence between PINbased and signature-based debit cards: • PIN-based debit card – is a card technology requiring that a Personal Identiﬁcation Number (PIN) be entered for authorization. The transaction total is taken directly out of the cardholders checking or savings account. As these transactions use two-factor authentication (something you have plus something you know), they are subject to lower interchange fees because they are more secure (the person with the card is most likely the card owner). • Signature-based debit card – are cards that usually say debit on them but are processed like a standard credit card. No PIN is required unless the cardholder selects debit instead of credit. These transactions are subject to higher interchange fees because they can be processed without a PIN (less secure). These cards can be swiped at the pump without requiring a PIN for proof of identiﬁcation. Unfortunately, many merchants are unaware of the diﬀerence between PIN-based and signature-based debit cards and the signiﬁcant diﬀerence in interchange rates. Consequently, every year, they lose thousands of dollars because they aren’t asking for PINs. Triple Data Encryption Standard (TDES) If you haven’t already done so, you will need to upgrade to support TDES at both indoor PINpads and outdoor Automated Fuel Dispensers (AFD) and Card Reader IN Dispenser (CRIND) keypads by July 1, 2010. Visa communicated back in April that they have no plans to ﬁne merchants who have not implemented TDES at their AFDs as long as they are already using SDES DUKPT encryption (unfortunately, many operators have neither). Risk Not upgrading to TDES and continuing to use SDES DUKPT encryption does NOT mean an operator is compliant. It simply means that Visa is not actively imposing ﬁnes for being non-compliant. The risk is that, if a PIN-based breach occurs, the operator, acquiring bank, service provider, etc. will be liable for the costs and ﬁnes associated with the breach. Card Reader IN Dispenser (CRIND) CRIND is a PIN/debit-based mandate and does not aﬀect any other form of payment inside or outside. Therefore, if you choose not to accept PIN-based debit cards at the pump, there is 28 | Petrogram no issue beyond completing your annual PCI Self Assessment Questionnaire (SAQ), conducting your quarterly external vulnerability scans and ensuring that your PINpads and keypads are TDES compliant. Options for old pumps (e.g. Gasboy) You have three options: 1. Replace the dispensers, 2. Stop accepting PIN debit at the dispenser, 3. Install an aftermarket/third party “retroﬁt” kit. Pump electronics manufacturers have diﬀerent retroﬁt options that may be available for your pumps. Is it worth upgrading? (Cost/benefit analysis) The short answer is, “It depends.” Each operator needs to perform a Return on Investment (ROI) analysis based on their unique situation, type of pumps, volume of PIN/debit transactions, etc., to determine if the proposed investment will pay for itself in a reasonable time period. Comment on interchange rates Whether or not the card brands will charge higher interchange fees if an operator does not upgrade is unclear at this point. However, if the card brands follow previous enforcement practices, I would bet that they will raise the processing costs of non-compliant operators because of the inherent higher risk. Another thing to consider is that, even if the card brands do not increase fees, your acquirer may choose to do so as they may not want to assume the increased risk on your behalf – for free. Bottom line 1. Being out of compliance with a card brand/PCI mandate introduces the possibility of ﬁnes and the ongoing burden of increased costs/liability in the event of a breach. Given that level four merchants represent over 80 percent of credit card compromises, the odds favor the compliant operator. 2. If you accept PIN-based debit cards, ask for the PIN and take advantage of the lower interchange rate. ❍ Jim Fish is vice-president for Coalfire Systems Inc. Coalfire is an IT Governance and Compliance consultancy and PCI Qualified Security Assessor with offices in Colorado, Washington, New York and Canada. He can be reached for follow-up questions by email at jim. email@example.com or by calling 206-352-6028, ext. 7501. Guidance from this document is not a substitute for legal counsel applicable to your business and operations. www.fpma.org | Spring 2010
Table of Contents for the Digital Edition of Petrogram - Spring 2010
Petrogram - Spring 2010
A Celebration of the Petrogram’s 50th Anniversary
How to Stage a Great Grand Opening
FPMA Efforts to Improve the Cleanup Program
Out & About the Industry
E-10 and Single-Wall Fiberglass Tanks
Are You Ready for PCI Compliance?
Crind and Bear It
Index of Advertisers/Advertiser.com
Petrogram - Spring 2010
If you would like to try to load the digital publication without using Flash Player detection, please click here.