Time Is Running Out for Meeting the PCI PED Deadline
PDF Print

Ralph Waldo Emerson observed, “This time, like all times, is a very good one, 
if we but know what to do with it.”
As we run out the clock on 2008, I suggest 
that one important thing we should do with our time is to prepare to meet the 
PCI/PED deadline, now just 18 months in the future.

While eighteen months may seem like ample lead time for a compliance issue, 
in reality it is very short in light of PCI PED’s far-reaching operational demands.

Irrespective of where you are in the process of PCI PED implementation, 
there are important background issues to work out.  Among them: who is 
responsible for the cost – an issue joined, inextricably with merchant retention.  
Other issues include the broad sales decline during the quarter when many 
businesses generate most or all of their profits.  On November 14, the 
Commerce Department reported that US retail sales had fallen a record 
2.8% in October, far worse than the 2% economists had predicted.  
Notably, sales declines were broad, across types of merchandise 
(building supplies, appliances, furniture) and types of stores 
(department stores, discounters, etc.)

The financial well-being of the FI and ISO is also in play, as both feel 
the effects of an economy that seems to have lost its footing.

In regard to the first issue, I have no advice, other than to weigh wisely 
the “who pays” decision, as there are pros and cons for both sides, and the 
best answer will vary by company.

If you and your company are not yet pursuing PCI PED implementation, 
you may be shut out of the game entirely.  You need to get busy.  
In the meantime, here’s an update of the two deadlines:

July 1, 2010 – complete phase-out of non-compliant Pin Entry Devices (PEDs) 
that are stand-alone pin pads, in addition to some early integrated devices 
with internal pin pads.

December 2014 – Visa recently announced the sunset date for VISA PED 
devices as 2014, a mere five years in the future.

After December 31, 2014, all Pin Entry Devices in the field are required 
to be PCI certified.

So, what are the operational requirements for the initial deadline, 
twelve months from now – and what needs to happen first?

  1. The first step is identification of merchants with non-compliant PEDs.  
    FIs and ISOs who have begun the upgrading process report this is a daunting 
    task that includes determining who has what, who is non-compliant, who has 
    received swap-outs with VISA PEDs, etc. In a better world, records would tell 
    us these things.  In the real world, record keeping is sketchy at best.
  2. Step two is determining the fate of non-compliant devices, discarded by the 
    merchant.  Will they be returned for verified destruction, hopefully in an 
    eco-friendly manner?  (Or, alternatively, who cares?)
  3. Next, if the merchant is bearing the burden of compliance, the manner in 
    which billing is handled must also be determined, and processes and procedures 
    developed.
  4. Simultaneously with these steps, a previously determined quantity of 
    compliant PCI PEDs, or a quantity of integrated devices with internal pin pads, 
    must be obtained or committed to. (more on that later).
  5. Once they arrive, each must go through the time-consuming encryption 
    and testing process made even longer by the new triple DES or 3D standard.
  6. Next, there is addressing of integrated units with internal pin pads.  
    One approach is to add an external PCI PED, disabling the internal pin pad. 
    This, according to Visa, is permitted because an integrated device with a 
    disabled pin pad falls outside the PCI PED requirements.
  7. If an integrated device with non-compliant internal pin pad is being replaced 
    with an integrated device with a compliant pin pad, an additional and separate 
    step of programming and testing follows.
  8. Once encrypted and/ or programmed and tested, the PEDs are deployed in 
    a systematic fashion with the expectation, (also wishful thinking and prayer) 
    that the majority of merchants will follow directions. The terminal must be 
    powered down before installing the pin pad.  Doing otherwise causes a 
    blow-out of the encryption and immediate return to step 5.

If you are constructing a pricing model for meeting the PCI PED deadline, 
we recommend building in 12% to 15% for rework along with some percentage 
of non-returns on blown PCI PEDs.

A factor not often considered is that in addition to time, encryption requires 
considerable infrastructure in computers, encryption hardware and software, 
and secure facilities, as well as trained and certified personnel.

ESO and PCI requirements do not permit you or I to pull people off the street, 
give them five minutes of training and throw them in an unsecured warehouse 
to encrypt pin pads.

As a certified ESO, I have predicted that at the eleventh hour, a few months 
before the deadline, two factors will collide to create the perfect PCI PED storm.  
Those factors are insufficient time and manpower, and a lack of availability 
of PCI PEDs.

Let’s examine PCI PED from the perspective of a credible, successful manufacturer 
with one question.  Would you commit resources to producing and stockpiling PCI 
PEDs in anticipation of a need that could not be quantified?  The answer, of course, 
is that this is not the behavior of successful manufacturers.

Similarly, when it comes to manpower, whether it is CardWare or another 
certified ESO, or a processor, no one keeps highly-trained personnel on the 
payroll on the expectation of what might happen with a particular PCI PED project.  
The alternatives for the merchant then become to get in a (very long) line, 
or prepare to pay premiums.

Expect prices for PCI PED units, and PCI PED project quotes to begin 
rising 1Q 2010, and probably before.

Experience indicates the vast majority of FIs, ISO and merchants will 
procrastinate, do ostrich impressions, expect the deadline of PCI PED to just 
“go away,” or be similar to the non-event we remember as Y2K.  By virtue of 
the security environment in which we operate, and regulatory tendencies that 
are likely to tighten, however, there is no reasonable chance that PCI PED will 
be anything but the game-changer it was engineered to be.

So, when crunch time comes, where will you and your merchants be in 
terms of compliance?  And, equally important, at what cost?

My take-away is that NOW, not next month, or next quarter, is the time to 
implement your PCI PED upgrade if you expect to have your merchants in 
compliance – and out of the woods – by July, 2010.

It is true, as Thomas Paine so wisely pointed out, that time makes more 
converts than reason.  But when time is on your side, the economics are as well.  
And that may be the most compelling argument of all.

Biff Matthews is President of Thirteen Inc, the parent company of 
CardWare International.  He is one of 12 founding members of the ETA, 
serving on its board, advisory board and committees.  (740) 522-2150