ALEXANDRIA, Va. – NACS and PCATS co-submitted a proposal to
the PCI Security Standards Council (SSC) to create a special interest group
(SIG) that will focus on the inability of small merchants to realistically
reduce card data risk, and therefore comply with mandated specifications for
card data security.
PCATS circulated its “We
Care” program of eight steps to card data risk reduction to the National
Restaurant Association and the Retail Systems Providers Association, as well as
other trade groups, as a method to address a nagging issue within the national
retail network: small and independent retailers just can’t comply with current
PCI specifications and card brand mandates.
“Current PCI mandates are an impossible science project for
our average retailer,” said Michael Davis, vice president of member services at
NACS. “Almost 5 million small and independent retailers out there have
very little idea on what to do, and even if they do, can’t implement the full
scope of the mandates — this includes more than 90,000 convenience stores. The
Data Security Committee at PCATS has effectively tackled this issue with its
risk mitigation guides and interaction with card brands, and created a program
all retailers can embrace. If we can get this SIG approved, we will
finally have a structured forum for our members at PCI.”
“Through our work at the Data Security Committee, we quickly
realized that our channel business structure mirrored many other channels,
where brands and franchises are comprised mainly of entrepreneurs and small
operators,” said Phil Schwartz, chairman of the Data Security Committee and manager
of information systems at Valero Payment Services Company. “These channel
models make compliance virtually impossible to achieve, so we have focused on
risk reduction as primary over compliance. Our approach with the ‘We Care’
program is that if you don’t get breached, compliance really isn’t an issue,
but we need to get that recognized as sufficient by PCI.”
The proposal, submitted on July 25, still has to be ratified
by PCI SSC. Both NACS and PCATS are actively seeking support of this
initiative by aligned organizations through signifying their support directly
to PCI SSC.