PCI’s Required Reading
The Payment Card Industry Security Standards Council (PCI SSC) is expected to release version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS) this month. A short summary of the changes that are expected to occur was distributed by PCI SSC in August.
In an interview with Chain Store Age, Bob Russo, general manager of PCI SSC, sought to calm any concerns or misconceptions about the impact the updated version might have on merchants.
“This is really about clarifying what was unclear in version 1.1—we are not adding requirements or sub-requirements, it’s just clarification,” he stated. “We issued the short summary in August because we didn’t want anyone to feel surprised or think there was going to be a need for big process changes or a need to spend more money to be in compliance. When version 1.2 is released, there may be just a few tweaks that were not highlighted in the summary—but there will not be big changes.”
One issue addressed in version 1.2 will be further explanation of scoping, which has been an area of confusion for many retailers.
Troy Leach, technical director for PCI SSC, explained, “When we’re talking about scoping, we’re looking at where the card information flows through the merchant’s organization, from the point a credit or debit card is swiped to where it travels through the network to their gateway, service provider or bank.”
Scoping looks at when transaction data is in process, stored and transmitted, and it defines what part of the merchant’s infrastructure has access to cardholder information.
“If a merchant can reduce where the information flows, then they can reduce the scope of audits and consequently reduce the cost of overall PCI evaluation,” advised Leach.
In addition to more detailed clarification of scoping, version 1.2 will also remove the ambiguity surrounding certain dated requirements. For instance, references to perform activities on a “regular basis,” will be assigned specific time frames. A good example would be in the area of log data. Version 1.2 will specify that retailers maintain an audit trail, or log of all data in the network, for a minimum of the last three months.
Probably the most profound clarification in version 1.2 has to do with wireless networks. Although it should come as no surprise, there will be specific language defining the end of WEP (wired equivalent privacy). As of March 2009, there will be no new implementations of WEP and current implementations of WEP must be discontinued by June 30, 2010. However, there are viable alternatives available through WiFi-protected access (WPA) and WPA2.
For the most part, industry analysts applaud PCI DSS and welcome the added clarifications. John Kindervag, senior analyst at Forrester Research, Dallas, brings the added insight of having worked as a qualified security assessor (QSA) for PCI DSS compliance.
“To my dismay, I found that most organizations were not even close to being compliant,” Kindervag said. “One issue is that security is not sexy—you can sell green IT or corporate social responsibility, but companies don’t want to invest in security. That seems ironic since [a retailer’s] first responsibility as a corporate citizen is to protect consumer data.”
The two weaknesses he saw most frequently were a refusal to accept that track data could never be stored and a fear of encryption processes.
Jeff Wakefield, VP of marketing at VeriFone, Clearwater, Fla., pointed out that retailers’ concerns about encryption are often founded in the magnitude of implementing encryption across numerous disparate POS systems, which is particularly true for retailers that have experienced mergers and acquisitions.
“I recently worked with a retailer that had more than 100 different applications running—to put encryption everywhere that data is stored is a huge undertaking,” he noted.
One trend that VeriFone supports, which complements the concept of scoping, is to encrypt transaction data at the PIN-entry device and route it directly through an application server to the payments processor. By doing this, the retailer never places sensitive cardholder data into the POS system and greatly reduces the scope of the audited network.
Staples partners with Blackhawk for gift cards
PLEASANTON, Calif. Staples has announced an exclusive partnership with the Blackhawk Network, the largest third-party provider of prepaid gift-cards, to carry Blackhawk’s Signature Gift Card Mall, currently found in grocery stores such as Safeway. Blackhawk’s Gift Card Mall features over 300 branded gift cards across categories such as fashion, tickets, electronics, home and sports.
“Consumers love buying and receiving gift cards, and putting the Gift Card Mall in Staples stores will make it easy and convenient for our customers to buy a wide variety of gift cards,” said Mark Mettler, senior vp and gmm at Staples.
“Staples is a valuable retail outlet for us because of its understanding of the B2B aspect of our business,” said Don Kingsborough, ceo of Blackhawk Network. “Working with Staples, we will reach small business owners and give them the ability to purchase prepaid gift cards for their employees in the same place they buy office supplies.”
Staples is the first office supply store to carry Blackhawk gift cards.
RadioShack appoints new chief marketer
FORT WORTH, Texas RadioShack announced the appointment of Lee Applbaum to the position of evp and chief marketing officer. Applbaum will be responsible for advertising, brand management, customer relations management and marketing and will report to chairman and ceo Julian Day. He will also serve as a member of the office of the chairman, comprised of Day; Bryan Bevin, evp of store operations; Jim Gooch, evp and cfo and Peter Whitsett, evp of merchandising.
“Lee’s joining us at RadioShack represents another significant step in strengthening our senior management team,” said Day. “Lee’s background and successful track record position him well to add value to our brand.”
Applbaum began his career at Lederle Consumer Health, a division of American Cyanamid Co., shortly after earning his MBA in 1994 from the Isenberg School of Management at the University of Massachusetts at Amherst. He has also worked at The Coca-Cola Co., Schlotzsky’s, Footstar and The David’s Bridal Group, a division of Federated Department Stores. Immediately prior to joining RadioShack, Applbaum was the chief marketing officer for The Schottenstein Stores Corp.