PAYMENT SECURITYTo comply with PCI requirements, this c-store chain remotely manages security and applicationupdates on 2,500 PCs.

JANUARY 2006www.ISMRetail.com

David Siegel, director of businessdevelopment, Duane Reade

RFIDPrepare for RFID by examining your businessprocesses and sharingdata with your trading par tners.

Duane Reade’s pharmacy kiosk projectmet customer demand for 24-hour service.Now, the retailer is licensing the technologyto its competitors.

MULTICHANNELRETAILINGBy outsourcing payment processing, the PGA TOURenabled multichannel retailingand PCI (payment card industry) compliance.

1-14052672-eprint.qxd 2/23/06 2:29 PM Page 1

Secure Payment ProcessingIs No Luxury

Implementing thin-client payment processing provides the PGA TOUR with a PCI (paymentcard industry)-compliant solution that includes built-in disaster recovery protection.

by Jay McCall

The PGA TOUR’s business strategy: “Move as much technology out of the retail operation

and let the retail staff focus on the customer.”

Steve Evans, PGA TOUR

Feature Story Payment Processing/ASP

22 www.ISMRetail.com January 2006

1-14052672-eprint.qxd 2/23/06 2:29 PM Page 2

If there’s one theme from 2005 that will forever remain etched in retailers’ minds, it’sthe importance of payment processing security. Last year was marked by severalinstances of lost/stolen credit card data. Banking giant Citigroup Inc. lost 3.9 millioncustomers’ information when computer tapes and payroll information were stolenfrom the car of an employee of an information security company. Another data security breach occurred after a hacker brokeinto Atlanta-based CardSystems Solutions Inc.’s database, compromising as many as 40 million credit card numbers. Eventhough in both of these examples, the payment processors were the victims, most retailers know the responsibility to recon-cile these problems ultimately rests on them. In fact, there are several accounts of small businesses paying credit card compa-nies thousands of dollars after stolen credit cards were used at their stores or their Web sites. To add to retailers’ burden, thePayment Card Industry (PCI) Data Security Standard, a set of security requirements adopted by the major credit card com-panies, levied a serious mandate in 2005. Since June 30, 2005, retailers that process credit card transactions have to be able toprove they comply with the PCI Data Security Standard. Those that don’t could face fines up to $500,000 and potentially losetheir right to accept credit cards for payment.

OOuuttssoouurrccee YYoouurr PPaayymmeenntt PPrroocceessssiinngg BBuurrddeennThis threat is bad enough for the retail giants of the world, but what about midsize retail-ers like PGA TOUR, Inc.? PGA TOUR is a nonprofit golfing organization that hosts near-ly 100 golf events each year, such as THE PLAYERS Championship. The organizationpays out more than $250 million in prize money annually and has contributed more than$1 billion to charitable causes since its inception in 1938.

The TOUR has 24 private clubs (under the name Tournament Players Club) locatedthroughout the United States where it sells golf apparel and merchandise. In the past, theclub operated a traditional client/server POS system, which required POS servers at eachfacility. A desire to have better control of its data and a need for additional payment pro-cessing security led PGA TOUR to change its payment processing solution to a hosted,thin-client solution. The upgrade helped the retailer achieve its main objectives and enabledPGA TOUR to expand its business in ways it never thought possible.

Steve Evans, the VP of information systems at PGA TOUR, says the TOUR’s decisionto move to a hosted payment processing solution was based on one strategy: “Move asmuch technology out of the retail operation and let the retail staff focus on the customer.”

Several years ago, at the advice of its POS vendor (InfoGenesis), PGA TOUR imple-mented payment processing vendor Shift4 Corp.’s $$$ IN THE BANK (pronounced “dol-lars in the bank”) solution to process and track sales transactions at each club. The TOURmaintained a transaction database and payment processing switch at its data center in PonteVedra Beach, FL. Each club connected to the data center via a dedicated WAN (wide areanetwork). The club’s database contained information such as items purchased, the time ofthe transaction, and, if a credit/debit card was used, the credit card as well. Even thoughthe TOUR never had any payment processing problems, there were a couple of potentialissues it wanted to address. “Florida is known for its hurricanes,” says Evans. “If a hurri-cane had hit our data center, clubs across the country would have lost the ability to processtransactions. Even more concerning, stolen credit card information was becoming a billion-dollar problem for the retail industry.”

The TOUR contacted its payment processing vendor for advice. “Shift4 informed us it iscertified with the PCI and could host our credit card processing,” recalls Evans.

Before making a commitment to abandon its existing system, the TOUR set up a test atits Sawgrass club in Florida. The test entailed installing Shift4’s NET API (application pro-gram interface) and configuring the corporate WAN to recognize Shift4’s IP (InternetProtocol) address. “The entire process took less than 2 hours,” recalls Evans. “There was

Feature StoryPayment Processing/ASP

January 2006 www.ISMRetail.com 33

TTeecchhnnoollooggyy UUsseerr::PGA TOUR, Inc.

AAnnnnuuaall SSaalleess::Not disclosed.

TToottaall FFaacciilliittiieess::24

GGeeooggrraapphhyy::Headquartered in Ponte VedraBeach, FL. The organizationoperates 24 Tournament PlayersClub private golfing facilities andhosts nearly 100 golf eventseach year in 22 states plusCanada, Portugal, and Scotland.

PPrroobblleemm::A disparate POS (point of sale)system and payment process-ing solution became an over-whelming burden. Concernsabout online identity theft andfraudulent credit card usecaused the club to look for analternative means of processingpayments.

SSoolluuttiioonn::The TOUR replaced its in-housepayment processing solutionwith Shift4 Corp.’s $$$ ON THENET. The hosted solution placesthe burden of credit card pro-tection on Shift4 and also pro-vides the TOUR with disasterrecovery protection.

PPrriimmaarryy VVeennddoorrss::IBMInfoGenesisShift4

IInnssttaallllaattiioonn PPrrooffiillee

1-14052672-eprint.qxd 2/23/06 2:29 PM Page 3

no custom programming involved andno change to any of the store paymentprocessing procedures, so no trainingwas involved.”

Once the payment processing wasupgraded, all of the Sawgrass club’stransaction data was sent to and storedat Shift4’s data center using Shift4’sVirtualLeasedLine service, whichencrypts the data using VPN (virtual pri-vate network) tunneling. In the event aPGA TOUR manager needs to investi-gate a purchase dispute, the manager canaccess the transaction data via a secureonline connection to Shift4’s data center.

Shortly after testing the hosted solu-tion, PGA TOUR switched the rest ofits clubs over in a two-month period.The entire rollout took only 40 hours oflabor, and besides a few server driverupdates, no glitches sprang up duringthe process.

HHoosstteedd PPaayymmeenntt PPrroocceessssiinngg LLeeaaddss TToo GGiifftt,, LLooyyaallttyy CCaarrdd OOppppoorrttuunniittiieessHaving its payment processing datamanaged by an ASP (application ser-vice provider) provides the TOURwith two benefits. First, it enables the

organization to offer e-commercecapabilities at its Web site, which isespecially important for selling ticketsto its golfing events. Another benefitis the peace of mind it gains with aPCI-compliant solution, knowingthat all of the payment processingresponsibility is handled by its pay-ment processing vendor.

One benefit the PGA TOUR has yetto take advantage of, but is currentlylooking into, is an electronic storedvalue program that will enable the clubto upgrade its current paper-based giftcertificates to gift cards. “We also wantto implement a customer loyalty cardprogram that can be administered bystore managers at each club,” saysEvans. “We will administer the cardsand sign up the customers, and our ASPwill keep track of and protect the valueon the cards. By running our businessthis way, we don’t have to worry abouthackers stealing our customers’ creditcards from our database, and we alsolike the fact our vendor has a disasterrecovery facility that will automaticallytake over in the event its primary datacenter goes down.” ❏

Feature Story Payment Processing/ASP

One of the primary reasons the PGATOUR outsourced its payment processingto ASP (application service provider)Shift4 Corp. was to relieve itself of theburden of having to store and protectcustomers’ credit card data. The TOURfound this and more with Shift4’s $$$ON THE NET (pronounced “dollars onthe Net”). Shift4 maintains ongoing com-pliance with the Payment Card Industry(PCI) Data Security Standard, which wasdeveloped by the major credit card com-panies to curb the billions of dollars infraudulent credit card transactions thattake place each year. To achieve compli-ance, payment processing vendors suchas Shift4 must demonstrate network secu-rity competency in 12 areas: 1.) Installand maintain a firewall to protect data.2.) Do not use vendor-supplied defaultsfor system passwords and other securityparameters. 3.) Protect stored data. 4.)Encrypt transmission of cardholder data

and sensitive information across publicnetworks. 5.) Use and regularly updateantivirus software. 6.) Develop and main-tain secure systems and applications. 7.)Restrict access to data by business need-to-know. 8.) Assign a unique ID to eachperson with computer access. 9.) Restrictphysical access to cardholder data. 10.)Track and monitor all access to networkresources and cardholder data. 11.)Regularly test security systems andprocesses. 12.) Maintain a policy thataddresses information security.

According to the TOUR, its paybackfrom $$$ ON THE NET was almostimmediate. One of the reasons for theshort payback is the audit before settle-ment feature that prompts merchants tovalidate transaction amounts so errorsare detected before payment processingfees are charged.

For More Information On Shift4Go To www.shift4.com

PPuutt PPaayymmeenntt PPrroocceessssiinngg OOnn AA 1122--SStteepp PPllaann

Jay McCall is a contributingeditor at Integrated SolutionsFor Retailers magazine.He can be reached at:jaym@corrypub.com.

Posted with permission from Integrated Solutions For Retailers. Copyrighted 2006. For subscription information, call (814) 868-9935 or visit www.ISMRetail.com.#1-14052672 Managed by Reprint Management Services, 717.399.1900. To request a quote online, visit www.reprintbuyer.com.

1491 Center Crossing RoadLas Vegas, NV 89144

(702) 597-2480www.shift4.com

1-14052672-eprint.qxd 2/23/06 2:29 PM Page 4