NACS, PCATS Propose PCI Small Merchant Special Interest Group

The proposal seeks to create a special interest group at the PCI Security Standards Council that will focus on the inability of small merchants to realistically reduce card data risk.

July 29, 2013

ALEXANDRIA, Va. – NACS and PCATS co-submitted a proposal to the PCI Security Standards Council (SSC) to create a special interest group (SIG) that will focus on the inability of small merchants to realistically reduce card data risk, and therefore comply with mandated specifications for card data security.  

PCATS circulated its “We Care” program of eight steps to card data risk reduction to the National Restaurant Association and the Retail Systems Providers Association, as well as other trade groups, as a method to address a nagging issue within the national retail network: small and independent retailers just can’t comply with current PCI specifications and card brand mandates.

“Current PCI mandates are an impossible science project for our average retailer,” said Michael Davis, vice president of member services at NACS. “Almost 5 million small and independent retailers out there have very little idea on what to do, and even if they do, can’t implement the full scope of the mandates — this includes more than 90,000 convenience stores. The Data Security Committee at PCATS has effectively tackled this issue with its risk mitigation guides and interaction with card brands, and created a program all retailers can embrace. If we can get this SIG approved, we will finally have a structured forum for our members at PCI.”

“Through our work at the Data Security Committee, we quickly realized that our channel business structure mirrored many other channels, where brands and franchises are comprised mainly of entrepreneurs and small operators,” said Phil Schwartz, chairman of the Data Security Committee and manager of information systems at Valero Payment Services Company. “These channel models make compliance virtually impossible to achieve, so we have focused on risk reduction as primary over compliance. Our approach with the ‘We Care’ program is that if you don’t get breached, compliance really isn’t an issue, but we need to get that recognized as sufficient by PCI.” 

The proposal, submitted on July 25, still has to be ratified by PCI SSC. Both NACS and PCATS are actively seeking support of this initiative by aligned organizations through signifying their support directly to PCI SSC.

Related News
Suggested Reading
Advertisement
Advertisement
Advertisement