Ralph Waldo Emerson observed, “This time, like all times, is a very good one,
if we but know what to do with it.” As we run out the clock on 2008, I suggest
that one important thing we should do with our time is to prepare to meet the
PCI/PED deadline, now just 18 months in the future.
While eighteen months may seem like ample lead time for a compliance issue,
in reality it is very short in light of PCI PED’s far-reaching operational demands.
Irrespective of where you are in the process of PCI PED implementation,
there are important background issues to work out. Among them: who is
responsible for the cost – an issue joined, inextricably with merchant retention.
Other issues include the broad sales decline during the quarter when many
businesses generate most or all of their profits. On November 14, the
Commerce Department reported that US retail sales had fallen a record
2.8% in October, far worse than the 2% economists had predicted.
Notably, sales declines were broad, across types of merchandise
(building supplies, appliances, furniture) and types of stores
(department stores, discounters, etc.)
The financial well-being of the FI and ISO is also in play, as both feel
the effects of an economy that seems to have lost its footing.
In regard to the first issue, I have no advice, other than to weigh wisely
the “who pays” decision, as there are pros and cons for both sides, and the
best answer will vary by company.
If you and your company are not yet pursuing PCI PED implementation,
you may be shut out of the game entirely. You need to get busy.
In the meantime, here’s an update of the two deadlines:
July 1, 2010 – complete phase-out of non-compliant Pin Entry Devices (PEDs)
that are stand-alone pin pads, in addition to some early integrated devices
with internal pin pads.
December 2014 – Visa recently announced the sunset date for VISA PED
devices as 2014, a mere five years in the future.
After December 31, 2014, all Pin Entry Devices in the field are required
to be PCI certified.
So, what are the operational requirements for the initial deadline,
twelve months from now – and what needs to happen first?
- The first step is identification of merchants with non-compliant PEDs.
FIs and ISOs who have begun the upgrading process report this is a daunting
task that includes determining who has what, who is non-compliant, who has
received swap-outs with VISA PEDs, etc. In a better world, records would tell
us these things. In the real world, record keeping is sketchy at best.
- Step two is determining the fate of non-compliant devices, discarded by the
merchant. Will they be returned for verified destruction, hopefully in an
eco-friendly manner? (Or, alternatively, who cares?)
- Next, if the merchant is bearing the burden of compliance, the manner in
which billing is handled must also be determined, and processes and procedures
- Simultaneously with these steps, a previously determined quantity of
compliant PCI PEDs, or a quantity of integrated devices with internal pin pads,
must be obtained or committed to. (more on that later).
- Once they arrive, each must go through the time-consuming encryption
and testing process made even longer by the new triple DES or 3D standard.
- Next, there is addressing of integrated units with internal pin pads.
One approach is to add an external PCI PED, disabling the internal pin pad.
This, according to Visa, is permitted because an integrated device with a
disabled pin pad falls outside the PCI PED requirements.
- If an integrated device with non-compliant internal pin pad is being replaced
with an integrated device with a compliant pin pad, an additional and separate
step of programming and testing follows.
- Once encrypted and/ or programmed and tested, the PEDs are deployed in
a systematic fashion with the expectation, (also wishful thinking and prayer)
that the majority of merchants will follow directions. The terminal must be
powered down before installing the pin pad. Doing otherwise causes a
blow-out of the encryption and immediate return to step 5.
If you are constructing a pricing model for meeting the PCI PED deadline,
we recommend building in 12% to 15% for rework along with some percentage
of non-returns on blown PCI PEDs.
A factor not often considered is that in addition to time, encryption requires
considerable infrastructure in computers, encryption hardware and software,
and secure facilities, as well as trained and certified personnel.
ESO and PCI requirements do not permit you or I to pull people off the street,
give them five minutes of training and throw them in an unsecured warehouse
to encrypt pin pads.
As a certified ESO, I have predicted that at the eleventh hour, a few months
before the deadline, two factors will collide to create the perfect PCI PED storm.
Those factors are insufficient time and manpower, and a lack of availability
of PCI PEDs.
Let’s examine PCI PED from the perspective of a credible, successful manufacturer
with one question. Would you commit resources to producing and stockpiling PCI
PEDs in anticipation of a need that could not be quantified? The answer, of course,
is that this is not the behavior of successful manufacturers.
Similarly, when it comes to manpower, whether it is CardWare or another
certified ESO, or a processor, no one keeps highly-trained personnel on the
payroll on the expectation of what might happen with a particular PCI PED project.
The alternatives for the merchant then become to get in a (very long) line,
or prepare to pay premiums.
Expect prices for PCI PED units, and PCI PED project quotes to begin
rising 1Q 2010, and probably before.
Experience indicates the vast majority of FIs, ISO and merchants will
procrastinate, do ostrich impressions, expect the deadline of PCI PED to just
“go away,” or be similar to the non-event we remember as Y2K. By virtue of
the security environment in which we operate, and regulatory tendencies that
are likely to tighten, however, there is no reasonable chance that PCI PED will
be anything but the game-changer it was engineered to be.
So, when crunch time comes, where will you and your merchants be in
terms of compliance? And, equally important, at what cost?
My take-away is that NOW, not next month, or next quarter, is the time to
It is true, as Thomas Paine so wisely pointed out, that time makes more
implement your PCI PED upgrade if you expect to have your merchants in
compliance – and out of the woods – by July, 2010.
converts than reason. But when time is on your side, the economics are as well.
And that may be the most compelling argument of all.
Biff Matthews is President of Thirteen Inc, the parent company of
CardWare International. He is one of 12 founding members of the ETA,
serving on its board, advisory board and committees. (740) 522-2150