Current Issue    |    Past Issues    |    Contact Us    |     Advertising    |    www.pei.org

Convention Photos
Young Executives
Revisit Bruce
Happy Anniversary
Truck Stops Two
TOPIC ARCHIVE
Alternative Fuels
Best Practices
Business Development
Education
D/M Partnership
Equipment Edge
Human Resources
Industry Forecast
Installation & Construction
Letters
Money Matters
Member Profiles
PEI Committees
Projects of Note
Safety Spot
Sales & Marketing
Service Front
Technology Advisory
Technical Talk
INSIDE PEI
President's Perspective
The Renkes Report
People of Tulsa
        
  Print this Article E-mail this Article Comment on this Article
       

PCI Compliance And Security

One and the same?

By Coles Marsh

As distributors, we're more than just sellers of boxes. We're a resource to our customers, and when it comes to the products we're selling, customers expect us to be the information guys, the experts. It's our job as distributors to do our homework, so no question from a customer ever goes unanswered.

Recently, a large oil jobber, one of my longest and most valued customers, asked me a question regarding the PCI-compliant equipment I had sold him. He asked, “Coles, will this equipment you are selling me that is PCI-compliant make me secure?”

At first, I rattled off to my customer everything I knew about PCI compliance—that the vendor who manufactured this new equipment was required to comply with the new regulations, and this upgrade meets the new PCI standards. But my customer was not satisfied. He posed the question again: “But Coles, am I secure? Will PCI compliance provide the security that will keep my customers' credit card information safe?”

His question was something I had not thought about. As an industry, we're all under the gun to upgrade systems to meet PCI requirements, but has anyone stopped to think about what these regulations really mean? Can we assure our customers that their new PCI-compliant equipment will completely derail fraud? And the most important question of all, does PCI compliance equal security?

POS Security...Or Not
I admitted to my customer that I did not know the answer to his question, but as his distributor, I would do my best to find the information he was looking for.

At about the same time, I met a gentleman who refers to himself as a “non-malicious hacker.” He has an extensive computer forensics background that allows him to crack computer systems and access confidential information. I told him about my customer's question: Is PCI-compliant equipment secure from hackers like him?

Unfortunately, his answer was a resounding “no.” I sat in awe as I watched this non-malicious hacker break into a point of sale system at a station owned by a large dealer. I watched him tinker with the computer programming until he was able to retrieve credit card information and find vital financial data—enough to commit identity theft. “Holy mackerel!” I thought. The hacker made it look easy.

It's no surprise to anyone that we live in a world where technology rules. While this is good in some aspects (fast, convenient operating systems and equipment), it also means that our financial data float around in cyberspace. We can't bolt it with a lock or put it in a safe. Despite being protected, sensitive data are not 100 percent safeguarded from hackers who learn how to beat the system. It seems that anybody with enough computer know-how can break into any computer and crack even the most sophisticated security systems, stealing information we once naively thought was secure.

Does this mean that PCI regulations are useless? Of course not. Just like the fence around your house, the new regulations add one more barrier between the thief and a customer's credit card information. The good news is that the new requirements make credit card fraud extremely difficult. A potential thief must have extensive programming knowledge in order to break into a point of sale system and commit a crime. But that's also the bad news. PCI compliance does not make a POS system 100 percent secure. Even with compliant equipment in place, it's still very possible for a computer hacker to beat the system. I saw it happen firsthand.

Total Security
Can we, as distributors, rest at night knowing that the equipment we've sold is completely protected? Well, not yet, but total security could be in the very near future. Software companies have developed third-party solutions that fill in the holes that PCI compliance leaves open to attack. The technology is new, however, and requires considerable time, effort and cost before we can confidently call our systems 100 percent secure from the ever-growing population of malicious computer hackers.

Right now, the best we can do is dig a little bit deeper for our customers, instead of just spitting out rules and regulations that may be misleading. For retailers, PCI-compliant upgrades are large investments. We owe it to our customers to give them all the information we can find, even if we have to look under some rocks to find it.

And it should be noted that all of this equipment acknowledged to be PCI compliant is just that: PCI compliant. Something that is “PCI compliant” does not mean that it is “secure.” As I've learned, those two terms mean different things. Be sure your customers know this.

Meet The Author
Coles Marsh does retail sales for the Salisbury, Maryland, location of Jones & Frank Corporation. Marsh served as PEI President in 1998.
  Top of Article  

   Current Issue   |   Past Issues   |   Contact Us   |   Send Files    |   Advertising   |   www.pei.org

The PEI Journal • Fourth Quarter 2008 • Volume 2, No. 4 • Contents are Copyright © Data Key Communications, Inc.
All rights reserved. • Nothing may be reproduced in whole or part without written permission of the publisher.