The ever-growing use of credit and debit cards continues to present food retailers with expensive challenges with respect to both interchange fees and card security costs.
The retail industry made some progress this summer on the fees front with the passage of federal financial reform that includes regulation of debit-card interchange fees. But card data security — which is also under regulatory consideration by Congress — remains a costly burden as retailers seek to meet card industry requirements (or get hit with fines) while staying ahead of the ceaseless intrusions of hackers.
Still, as with interchange fees, there are some incipient signs of progress with data security costs. For example, two of the card industry's primary security standards — the PCI DSS (Payment Card Industry Data Security Standard) and the PA-DSS (Payment Application Data Security Standard — will enter their next phase (version 2.0) next month without any new requirements for retailers.
“The good news for merchants is that there won't be too many changes, so if you're already compliant, it's not much of a stretch to remain compliant,” said Bob Russo, general manager of PCI Security Standards Council, Wakefield, Mass., which manages the PCI DSS and PA-DSS standards, along with the PIN Transaction Security (PTS) requirements. The new standards will focus on clarifying existing requirements and improving their flexibility, he said. (See “Updating PCI,” Page 24.)
Another plus for retailers is that Visa, with the support of the National Retail Federation, Washington, launched an effort in July to reduce the unnecessary storage of sensitive card information in merchant payment systems. To that end, Visa made clear that its existing operating regulations allow merchants to present a truncated, disguised or masked card number on a transaction receipt to banks for dispute resolution instead of the full 16-digit card number. Visa, in accord with NRF, said merchants “should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests.”
Retailers “should not be penalized for not storing card information. This clarification from Visa is a promising step in that direction,” said Dave Hogan, NRF's senior vice president and chief information officer.
Hogan told SN “it is too early to tell” whether acquiring banks (which work with retailers to process transactions) are heeding Visa's directive and offering to store personal account numbers (PANs) for retailers or offering a tokenization arrangement. “We recommend that merchants challenge their acquirers and push them to offer this at no cost to the merchant,” he said.
Hogan added that Visa's directive about card data storage, if incorporated into the PCI standard, “could impact PCI by significantly reducing the scope” of what retailers would be responsible for securing.
The NRF also advocates that consumers be allowed to enter PINs (personal identification numbers) with credit transactions to enhance security, just as they do with debit transactions. (This would also bring down credit processing fees.) If merchants stopped storing credit card data and consumers used PINs for credit transactions “the risk of a major data breach would be significantly reduced,” said Richard Mader, executive director of ARTS (the Association of Retail Technology Standards), a division of NRF, at an Aberdeen Group conference in June.
In Europe and Canada, a “chip and PIN” system is in effect for credit cards, requiring the use of both PINs and an identification chip in the card. But a changeover to chip and PIN in the U.S. would be costly, taking $5 billion over five years, said Mader.
Meanwhile, the Smart Card Alliance, Princeton Junction, N.J., advocates the use of contactless chip cards to lower fraud because, as opposed to standard magnetic-stripe cards, payment card data stolen from contactless cards “could not be used to make fraudulent cards,” the group said in a statement.
And in a move that could presage an entirely new payment paradigm, AT&T and Verizon plan to test a system in Atlanta and three other U.S. cities that would let a consumer pay with a smart phone instead of plastic cards, according to a Bloomberg report.
ENCRYPTION PARADE
In the meantime, two technologies — end-to-end encryption and tokenization — continue to evolve in the U.S. as ways to enhance retailers' magnetic-stripe-card data security. Notably, numerous card processors and equipment vendors have stepped forward with end-to-end encryption offerings, typically including tokenization as well. Visa also came out last fall with best practices for end-to-end encryption and in July released best practices for tokenization.
End-to-end encryption is designed to protect card information from the swipe at the POS terminal to the acquirer/processor, eliminating any moment when card data would be “in the clear” and rendering the data useless to criminals who are able to breach the system. Tokenization is a way of replacing the PAN data wherever it is stored with substitute numbers or tokens that are worthless to criminals.
The technology gained greater prominence following the data breach in 2007 at Hannaford Bros., Scarborough, Maine, which exposed 4.2 million credit and debit cards even though the chain was PCI-compliant. In that case, malware was able to pilfer card numbers as the data was “in transit” from the POS across Hannaford's private network.
The parade of encryption offerings began two years ago when VeriFone Systems, San Jose, Calif., partnered with Semtek Innovative Solutions to offer the VeriShield Protect end-to-end encryption system. In August of 2009, the processor/acquirer RBS WorldPay announced that it would market the VeriShield system, and two months later processor/acquirer Chase Paymentech said it would do the same.
In March of 2009, Fifth Third Processing Solutions announced that it had designed a single platform for end-to-end encryption and tokenization. Then, in September of last year, processor/acquirer First Data and RSA announced what is now called the TransArmor solution, which includes end-to-end encryption (using existing POS terminals) and tokenization; the system was made publicly available last week.
Last month Hypercom, a terminal vendor, announced the availability of its “point-to-point encryption system for processors supporting Tier 4 merchants using Hypercom terminals.
In May of this year, processor/acquirer Heartland Payment System, a data breach victim in 2008, launched its E3 end-to-end encryption/tokenization technology, and a month later said that 1,000 merchants of various types had begun using it. Heartland will cover the cost of any PCI fines resulting from a breach of a retailer using E3.
Currently, food retailers using the E3 system tend to be smaller grocers and mini-marts. For example, Rogers Market, a small grocery store in Hudson, Maine, started using E3 a month ago, purchasing a $200 E3 terminal for each of its two lanes, said owner Roger Collins, Jr. However, Heartland plans to introduce E3 payment terminals designed for multi-lane supermarket environments, said Steven Elefant, its chief information officer.
With all of these offerings, retail adoption of these systems, particularly in the supermarket sector, is still in the very early stages. For example, no supermarket retailers are yet under contract to use the VeriShield system, according to Pete Bartolik, a spokesman for VeriFone. Still, “we are seeing more interest in end-to-end encryption,” said NRF's Hogan. “However, we would like to see card brands and banks pay for it.”
REDNER'S SECURITY PUSH
One food retailer employing a form of end-to-end encryption is Redner's Markets, Reading, Pa., which operates 39 Warehouse Markets and 13 Quick Shoppe convenience stores. The encryption is part of Connected Payments, a processing system for small retail chains and independents offered by StoreNext Retail Technologies and MTXEPS, in concert with payment processor partners. Redner's began rolling out Connected Payments to its supermarkets in January and finished in April.
In Redner's case, card data is encrypted from the moment the card is swiped in the PIN pad “all the way to the [acquiring] bank,” said Nick Hidalgo, IT director for Redner's.
Redner's has a private network from stores to its headquarters. Payment card data is then channeled via an encrypted connection to the Connected Payment host, which sends it encrypted to First Data, Redner's processor/acquirer, said Hidalgo. The chain does not store any of the card data, using only a truncated card number for receipts. All reporting is handled via StoreNext, he said.
To test the system, Redner's recently employed Trustwave to attempt to penetrate its network over a two-week period. “They had access to the register and couldn't steal any data,” said Hidalgo. “We were one of three companies out of 150 that [wasn't breached.] We attribute that solely to the end-to-end encryption.”
The cost of Redner's Connected Payments service, including encryption and centralized storage and retrieval of credit card slips, is $35 per week per store, said Hidalgo.
Redner's has also been engaged in several other efforts over the past year to upgrade its data security. For example, the chain has implemented software from Tripwire, Portland, Ore., that checks the configuration of routers and switches every four hours to ensure that no unapproved changes were made, and flags what should or shouldn't be operating. “If someone compromises our devices and changes the way traffic is sent, we get an alert,” Hidalgo said.
This system was installed as a result of a PCI audit conducted by a QSA (qualified security assessor) for level-2 retailers. “We needed software to fill that check box on the PCI compliance list,” he said. The Tripwire server cost $25,000 to install and 15% per year to support, he noted, adding that it eliminates the cost of manual auditing and saves labor by focusing on higher security risks.
At the POS, Redner's has installed a whitelisting application from Savant Protection, Hudson, N.H., in lieu of anti-virus software. “It puts the registers in lock down mode,” Hidalgo said. “Nothing new can be introduced to the system. If someone tried to copy a virus, Savant would ignore it because it's not on the approved list.”
The Savant system can make POS upgrades a little cumbersome because Savant has to be disabled first, said Hidalgo. But Connected Payments and Savant “give us peace of mind that if our network is breached, our payments are secure.” The initial investment in the Savant system came to approximately $40,000 for about 700 POS registers, he added.
The POS is a vital part of the retail enterprise to secure, noted Wade Baker, director of risk intelligence, Verizon Business. He advised retailers to carefully vet POS vendors who oversee POS maintenance, making sure that passwords are changed regularly to prevent improper access.
Redner's has also rolled out a Cisco wireless infrastructure this year to its grocery stores and most of its c-stores that includes “rogue access” protection for PCI compliance. “If someone walks into a store and plugs in an access point, we would get an alert and it would be quarantined and shut down.” The licensing cost is “well over $200,000,” he said, but noted that the automatic alerts “save on manpower costs.”
Hidalgo credited the attention to security to the insight provided by the QSA auditor. In addition to sparking the Tripwire investment, “he pushed us to look at security more in-depth,” he said.