Source:
PCI Security Standards Council – AT A GLANCE – PCI DSS MYTHS

Myth 1 – One vendor and product will make us compliant

Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities and excludes positioning these with other requirements of PCI DSS, the resulting perception of a “silver bullet” might lead some to believe that the point product provides “compliance,” when it’s really implementing just one or a few pieces of the standard. The PCI Security Standards Council urges merchants and processors to avoid focusing on point products for PCI security and compliance. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the “big picture” related to the intent of PCI DSS requirements.

Myth 2 – Outsourcing card processing makes us compliant

Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.

Myth 3 – PCI compliance is an IT project

The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a “project” with a beginning and end – it’s an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise are financial and reputational, so they affect the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment acceptance and processing workflow.

Myth 4 – PCI will make us secure

Successful completion of a system scan or assesssment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.

>Myth 5 – PCI is unreasonable; it requires too much

Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option using compensating controls to meet some requirements. The standard provides significant detail, which benefits merchants and processors by not leaving them to wonder, “Where do I go from here?” This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information.

Myth 6 – PCI requires us to hire a Qualified Security Assessor

Because most large merchants have complex IT environments, many hire a QSA to glean their specialized value for on-site security assessments required by PCI DSS. The QSA also makes it easier to develop and get approval for a compensating control. However, PCI DSS provides the option of doing an internal assessment with an officer sign-off if your acquirer and/or merchant bank agrees. Mid-sized and smaller merchants may use the Self-Assessment Questionnaire found on the PCI SSC Web site to assess themselves.

Myth 7 – We don’t take enough credit cards to be compliant

PCI compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one.

Myth 8 – We completed a SAQ so we’re compliant

Technically, this is true for merchants who are not required to do on-site assessments for PCI DSS compliance – for that particular moment in time when the Self-Assessment Questionnaire and associated vulnerability scan (if applicable) is completed. After that moment, only a postbreach forensic analysis can prove PCI compliance. But a bad system change can make you non-compliant in an instant. True security of cardholder data requires non-stop assessment and remediation to ensure that likelihood of a breach is kept as low as possible.

Myth 9 – PCI makes us store cardholder data

Both PCI DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors. There is no need, nor is it allowed, to store data from the magnetic stripe on the back of a payment card. If merchants or processors have a business reason to store front-card information, such as name and account number, PCI DSS requires this data to be encrypted or made otherwise unreadable.

Myth 10 – PCI is too hard

Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without security or a large IT department. However, PCI DSS mostly calls for good, basic security. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyway to protect sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security – and PCI compliance. When people say PCI is too hard, many really mean to say compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in stock equity, and especially lost business. Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.

Full text of document
© 2008 PCI Security Standards Council LLC. The intent of this document is to provide supplemental information, which does not replace or supersede PCI SSC Security Standards or their supporting documents.

Source: Nikki Baird, Managing Partner, Retail Systems Research LLC. Dated: 11/6/2007

Self-checkout (SCO) has had its ups and downs. From being praised to being vilified by retailers and consumers alike, it appears that our relationship with SCO is love-hate: you either love it or you hate it.

Love it or hate it, it’s here to stay. Not only is it increasing its penetration in grocery, it’s expanding beyond that traditional base to make headway in big box specialty (Fujitsu recently announced a deployment at Canadian Tire). Precursors to SCO are even finding their way into department stores with price checkers mounted throughout the stores and some major department store retailers reorganizing themselves with consolidated checkout stations closer to store entrances.

But the real tipping point for me came last week at Retalix’s user group conference. I attended a panel session headed by Jarrod Welch from Reasor’s, an independent grocery chain centered around Tulsa, OK, and John Sweigart from Redner’s, another independent out of Redding, PA. The reasoning that they – and other independent retailers in the audience – gave for their adoption of SCO was eye-opening. Redner’s is even on their second generation of SCO.

The rationale for these independents for investing in SCO is that many of their customers are already trained on using self-checkout, and so are coming to expect that SCO is part of the shopping experience – at least for groceries. To these retailers, SCO is a customer service play required to keep up with larger chain competitors. They view it as a customer service benefit, increasing the amount of choice a consumer has over how they go about buying their groceries. Both of the panelists said that they did not reduce labor when they implemented SCO, but reinvested labor dollars that SCO freed up into keeping more full service lanes open during high volume hours. Both also mentioned that the benefits came primarily from increasing the checkout capacity in the front of the store without taking away selling square feet.

The panelists shared their experience, emphasizing some lessons learned the hard way:
Provide all of the same services at SCO that consumers are used to getting at full service registers. Reasor’s had not enabled cash back from debit transactions at SCO at the very beginning, thinking that SCO customers would not be heavy users of the option. They quickly realized this was not the case. Consumers expect all of the same services at SCO as at any other register.

Pay close attention to spacing and placement. Both panelists emphasized this. There needs to be enough space within the “pod” of self-checkout stations so that carts can maneuver – not less than seven feet and more like eight. Also, environmental factors can play a role: Reasor’s, with their locations in “tornado alley” found that high winds impacted the function of the scales. For independent retailers, placement and spacing is particularly important because of the expense of installation. Reasor’s didn’t discover the issue with wind until after several stores had been installed – no small percentage of their total chain. While they could correct it in future installations, it’s a hard hit to have to go back in and fix the earlier installs.

Take the time to educate your customers and employees. The panelists noted that it’s important to educate consumers – to use signage and lane lights to make sure that consumers understand that SCO is an option for them, and to help them understand that SCO is not a replacement for standard express lanes – that there will be no reduction in service options available to them at checkout. Employee buy-in is also important. Redner’s encountered employee resistance to SCO because employees thought that the implementation was targeting labor budget. Redner’s had to make sure employees understood that labor budget was not being cut – that SCO was being implemented to boost customer service and overall checkout capacity.

Self-checkout is increasingly a fact of life, but even through this year still has a reputation of a “new” technology. Independent grocers face the stiffest competition, the least amount of capital available for investment in technology solutions, and the least amount of risk tolerance for experimenting and testing new concepts. When these retailers speak of SCO not in terms of ROI, but in terms of staying competitive, it’s clear SCO has passed the tipping point.

Full Text of Article

Bar and Beverage Conference & Expo
April 28 & 29, 2009
noon-5:00
Stampede Park, Roundup Centre
AM/PM @ Hall D, Booth 216 & 218

——————————

The Convenience U CARWACS Show
May 12-13, 2009
noon-5:00
CalgaryTELUS Convention Centre
AM/PM @ Booth 826

Grocery Showcase West 2009
PRESENTED BY canadian federation of independent grocers (”CFIG”)

Grocery Showcase West is all about serious business. Top quality buyers are attracted to Grocery Showcase West because there is no better grocery event in the West!

Where:
AM/PM booth # 320
Vancouver Convention & Exhibition Centre
Vancouver, BC

When:
Tuesday & Wednesday
March 10 & 11, 2009

The Convenience U CARWACS Show returns for its 6th year of providing leading education and the industry’s best trade show for convenience, gas and car wash operators across Canada.

When:
12 – 5 pm, March 10, 11, 2009

Where:
AM/PM booth #434
Toronto Congress Centre
650 Dixon Road
Toronto, ON M9W 1J1

Source: Matt Monte, Product Line Manager, Datalogic Scanning; Presentation materials from Retalix Synergy 2008

What is GS1 DataBar?
The GS1 system of standards is the most widely used supply chain standard system in the world.
•DataBar is a new bar code symbology
•A renamed version of Reduced Space Symbology (RSS)
•GS1 DataBar can encode over 100 types of data elements (AIs) (Serial or lot numbers, expiration dates, & measurements)

Why GS1 DataBar?
General Benefit Areas:
•Enable control of products unable to use existing bar codes due to size of packaging
•Better control of inventories, shrinkage, and product recalls
•Better control over products exceeding their expiration dates
•Enable scanning of fresh food products and Variable-Measure Fresh Foods (i.e. produce, meat, fish, deli)
•More advanced coupon promotions

Where use GS1 Databar?
There Are Four Specific Target Applications for Food Retail:
•Replacing UPC/EAN on small packaged goods
•Marking fresh produce
•Variable-measure fresh items
•Coupons

DataBar Implementation Implications Summary
POS Scanners
•Scanners need to have software that is capable of reading the GS1 DataBar codes that are intended for POS use
•Some legacy scanners are incapable of GS1 DataBar reading
•Many legacy & current scanners will require updated software loads
•Software needs to manage dual bar code coupons (if necessary)
•Scanners must have this GS1 DataBar reading capability enabled
•Usually enabled by scanning programming labels

POS System Software
•POS software must manage additional new coupon offers
•Must manage variable-weight label additions such as expiration dates
•Must manage multiple suppliers for same produce item

More information on GS1 and GS1 DataBar can be found at www.gs1.org

Source: Retail Reseller News | 8 Knollwood Dr | Mendham | NJ | 07946
Week of October 20, 2008 / Michael Kachmar, Editor

Fujitsu Transaction Solutions (Richardson, TX) has unveiled its new self-service initiative, dubbed “Univations.” (Think Innovation and “You,” the Consumer.) The program seeks to move Fujitsu from self-checkout, to kiosks in multiple form factors, to emerging opportunities in mobile commerce, explained Fujitsu executives during dinner with RRN.Com this week. To do so, it will leverage the Fujitsu brand, the company’s knowledge of retail, its Pervasive Retailing software framework, and its service offerings.

“Current market conditions are favorable for adoption of self-service,” explained Peter Wolfe, VP, Self-Ordering & Univations Operations. “We feel some of these self-service initiatives may even be mandated by retailers who are trying to save labor and realign their businesses in the manner of banks and airlines.”

Univations will be structured on the “Bronze, Silver, Gold” strategy, in which products are presented in three tiers of functionality and capability to address customer needs, as well as budget. At NRF in January, Fujitsu plans to showcase wall-mount, pedestal, and full-blown kiosks that the company will bring to market and lifecycle manage. In addition to traditional retail, the company intends to pursue near-term opportunities in c-store and gas, quick-service restaurants, and entertainment/arena applications.

“On the software side, we’re going to leverage some of our GlobalStore assets,” Wolfe continued. “Beyond that, we’re going to bring in a partner network to offer additional solutions. Right now, we’re working with a partner in deli order/queue management in the grocery arena. We’re also looking at gift registry, guided selling, and product location.” He noted that Fujitsu’s upcoming PowerPartner program will span self-service as well as traditional POS, and that there has been much interest in outdoor kiosks on the part of the channel.

Peter Wolfe, VP, Self-Ordering & Univations Operations, Fujitsu Transaction Solutions

Source: VISA

Beginning January 1, 2008, Visa has implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data elements data (i.e. full magnetic stripe data, CVV, CVV2 or PIN data) and require the use of payment applications that adhere to the PABP.

Outlined below are each of the five mandates, which will take effect over the next three years.

Phase Compliance Mandate

I Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications 1/1/08

II VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant 7/1/08

III Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications 10/1/08

IV VNPs and agents must decertify all vulnerable payment applications 10/1/09

V Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications 7/1/10

Gilbarco’s pay at pump is first and only modular system to achieve both Interac® and EMV certification

GREENSBORO, NC – January 28, 2008 – Gilbarco is the first payment provider to obtain Interac Association Device Certification for outdoor payment solutions. This certification covers the full line of Gilbarco® outdoor payment solutions, branded FlexPay™, including CRIND™ and modular components that can be retrofitted to any existing dispenser. This certification means that petroleum retailers in North America and globally now have a solution to process EMV transactions at the pump. The Gilbarco FlexPay offering also has Europay MasterCard Visa (EMV) Level 1 and Level 2 certification and Payment Card Industry PIN Entry Device (PCI PED) approvals.

“Gilbarco demonstrated its leadership in payment security by involving customers like us in their development and commercialization processes for the FlexPay payment system. The FlexPay system in OEM, retrofit and modular forms provides Husky with tremendous opportunities to provide secure and convenient payment options to our customers. The capability to effectively deliver marketing programs via the FlexPay system is an essential feature as we make investment decisions to upgrade our payment terminals,” said Terry Kinnunen, manager of retail technology at Husky Energy Corporation.

“We have long been an innovator in outdoor payment solutions. With over a million payment terminals installed in dispensers, we understand the need for backward compatible, reliable technologies in the fuel dispenser,” stated Kirsten Paust, vice president of marketing for Gilbarco Veeder-Root. “This approval allows our customers to upgrade to an EMV terminal well in advance of the mandated timelines without accepting the risks and expense that would come with adding a third-party device. This is hugely valuable to retailers in Canada and other international markets adopting EMV.”

FlexPay is available factory-installed in Gilbarco Encore® S dispensers, as a modular retrofit kit, or as individually-approved components to upgrade any Gilbarco or Tokheim dispenser. In all cases, the FlexPay solution maintains the regulatory approvals and valuable warranty on the Gilbarco dispenser.
”
We like the fact that FlexPay leverages our existing install base and saves us the cost associated with new dispenser installations,” said Frank Cozzolino, manager of IT for Canadian Tire Petroleum. “Our customers will appreciate the integrated appearance and consistent user interface.”

About Gilbarco Veeder-Root

Gilbarco Veeder-Root and Gasboy are leading suppliers of integrated fuel control, site management, and support services for petroleum marketers and commercial fueling enterprises worldwide. (www.gilbarco.com, www.veeder.com, www.gasboy.com). For more information visit www.gilbarco.com.

Full text Press Release

Installation of Fujitsu U-Scan Systems Helps Canadian Retailer Address Regional Labor Shortages

Calgary Co-operative Association Limited (Calgary Co-op) has completed a chain-wide rollout of self-checkout that has enhanced customer service and shopper satisfaction.

The project, completed in early April by StoreNext dealer AM/PM Service, integrates Fujitsu U- Scan self-checkout systems with StoreNext’s ISS45 point-of-sale systems. With unemployment in the Calgary metropolitan area averaging just 3.2 percent over the past 10 years, the shortage of retail service personnel contributed to the project’s importance.

“Our stores are seeing an increasing number of customers using the self-checkout lanes,” said Donna Burn, vice president of member and public relations for Calgary Co-op. “This has taken pressure off of our staffed checkout lanes during a time when Calgary is experiencing continuing labor shortages.”

Research from Statistics Canada indicates that the retail sector will need to add 25,000 jobs over the next 10 years, an increase of 35 percent from 2007 figures.

The successful pilot installation in April 2007 led to an all-enterprise retrofit schedule, installing U-Scan in additional retail centers at approximately one-week intervals. In each store, Calgary Co-op replaced one or two of its up-to-21 standard checkout lanes with four U-Scan self-checkout units. After a pause for the holiday shopping season the rollout continued in January 2008 to the remaining retail centers, until 88 self-checkout units overall were operating in the Co-op’s 22 food centers.

All of Calgary Co-op stores also use StoreNext’s ISS45 point-of-sale (POS) software system. StoreNext’s ISS45 transaction processing architecture is designed for the extreme performance requirements of today’s challenging supermarket business, in addition to many important time-saving and shopper-service features.

U-Scan is Fujitsu’s family of self-checkout systems, featuring a space-saving footprint and an intuitive shopper interface that speeds customers through the self-checkout process.

AM/PM Service has provided POS systems, software and support to Calgary Co-op for more than 12 years and is one of Canada’s largest point-of-sale and service companies.

About Calgary Co-operative Association Limited
Locally owned and operated, Calgary Co-op is one of the largest retail co-operatives in North America, with more than 425,000 members, 4,000 employees, $352 million in assets and annual sales of $998 million. Calgary Co-op has 22 retail shopping centers, 22 pharmacies, 26 gas bars, nine travel offices and 15 liquor stores located in Calgary, Airdrie, Strathmore and Okotoks, Alberta. For more information, please visit www.calgarycoop.com.

To read this entire article, please visit here.