Payment cards are the life blood of the modern retail industry. The ability to quickly and reliably transport large numbers of credit card transactions fueled the early growth of the VSAT industry, making satellite technology the de facto network standard in the retail segment, but big changes have occurred within the payment card industry that are having major ramifications.
How will these changes affect retailers who rely on VSAT technology and how will the changes affect satellite service providers?
The Birth of PCI
Credit card companies always have been security conscious, but all of the major card brands had similar but disparate security standards. In September 2006, Visa, Master Card, American Express, Discover, and Japan Credit Bureau (JCB) officially created the Payment Card Industry Security Standards Council and threw their collective weight behind a single common security standard for payment card data, which is known as the PCI Data Security Standard (PCI DSS). PCI DSS is a set of requirements designed to safeguard credit card data, and the standard applies to anyone who transmits, stores or processes payment card data. The PCI Data Security Council oversees and administers the PCI Data Security Standard and believes that data security is everyone’s business. The council is doing its best to create a global sense of community for those associated with the payment card industry, and the number of participating organizations is up to 622. The council is broken down into different groups and, as the need arises, Special Interest Groups (SIG) are created to tackle specific technological challenges and provide input to the PCI Working Group. Satellite technology is included in the Wireless SIG, along with Wi-Fi and Bluetooth technologies.
There are 12 guidelines that apply to every company that stores, transmits or processes payment card data. PCI compliance is mandatory, and conformity to the requirements is not trivial or cheap. Failure to meet the requirements can be severe, ranging anywhere from fines — up to and including electronic excommunication — by the major card processors.
PCI Compliance: A View from Outer Space
“It isn’t enough just to provide a bit pipe anymore,” says Tim Tang, marketing director of the Business Solutions Group at Hughes. “In the beginning, Hughes provided customers connectivity. Later, we optimized their networks. Now satellite service providers must be PCI complaint. If you aren’t compliant, retailers can’t use your network. The requirements are extremely burdensome, and it is imperative that we do more than just transmit data.” Hughes’ client base includes a large number of enterprise customers that send payment card data over their networks. At last count, the company serves more than 50,000 gas stations, 40,000 retailers and 17,000 restaurants, with the number of credit cards transactions averaging somewhere between 5 million and 6 million per day. In addition, as a PCI compliant “merchant,” Hughes processes payment card transactions for more than 500,000 users of the HughesNet service in the consumer and SME segment.The PCI Data Security Standard is updated on a three-year cycle. “Whenever new regulations come out, there are deadlines for enforcement,” says Tang. “PCI-DSS Version 2.0 was recently released, and there is a big push to get everyone upgraded, but there is a practical reality to the challenge. System upgrades can be very costly and, combined with a bad economy, many retailers were falling behind on their schedules. When confronted with the challenges, the council softened their deadline a bit, allowing companies who weren’t going to be compliant by this coming July to have an upgrade plan in place, but they have to stick to the plan and make the required upgrades.”The Council categorizes merchants by size and has different requirements for compliance accordingly. Level 1 includes merchants who process more than 6 million credit card transactions per year. A typical convenience store chain can reach that number with just 20 locations. Level 1 merchants also face an annual on-site audit by a security firm certified by the council. Merchants classified as levels 2-4 handle fewer numbers of transactions each year and must complete an annual self assessment. In addition, all merchants must have quarterly network scans performed by a PCI Approved Scanning Vendor.