Bite the Bullet Part 2 | NACS – Magazine – Past Issues – 2009 – November 2009
Sign In Help

Advancing Convenience & Fuel Retailing

Skip Navigation LinksNACS / Magazine / Past Issues / 2009 / November 2009 / Bite the Bullet Part 2

Bite the Bullet Part 2

By Jerry Soverinsky


How else can we characterize the impact on an industry whose promise to its customers is one of convenience, yet whose customers’ preferred pay­ment method — one predicated on con­venience — is the one threatening its very survival?

Credit cards.

It’s hard to imagine that an indus­try that can withstand a historic re­cession (one that has devastated other retailing segments) has found its Achilles heel in wallet-sized pieces of plastic. As one of the biggest issues facing convenience store retailers, credit cards are the focus of heated, ongoing debates at the state and fed­eral levels, and whose inherent costs threaten to cripple retailers both big and small.

And no, we’re not talking about cred­it card interchange fee costs — we’re talking about the costs of PCI compli­ance.

PCI compliance (and data security in general) poses a more significant finan­cial challenge for retailers, with potential financial penalties unmanageable even for the largest corporations. It’s also an emotional issue for retailers, and understandably so since the mandatory requirements present a de facto loss of control for those whose day-to-day processes are ongoing exercises in self-determination.

And while imminent deadlines cre­ate a deepening sense of oppression, find reassurance in this: You’re not alone.

No matter your sales volume, geo­graphic location or the brand of fuel at your pumps, if you’re a NACS member, your interests are top-of-mind and pas­sionately represented by the association.

While you might wear many hats during the course of the day — indeed, because you wear many hats — NACS is standing up for your interests, mak­ing sure that PCI compliance is as bearable as possible and that it does not place unreasonable burdens on your operations.

So while you’re wearing the hat of the manager, HR director and store greeter, here’s what NACS is doing for you...

Money and Time
The most pressing PCI concerns for re­tailers are the cost and convenience of achieving compliance. NACS estimates even more severe. Indeed, MasterCard has blurred the lines of Level 1 and Level 2 merchant compliance standards and penalties.

"Should the small operator not comply, they run the risk of being assessed fines of up to $5,000 per store, per month and loss of card acceptance — in an industry with an average pre-tax profit of less than $4,000 per month," said Gray Taylor, cards payments consultant for NACS.

"Visa has confirmed to me that they have no intention of fining small operators out of business, but that attitude may change at any time, and MasterCard has not signaled its agreement with Visa," Taylor continued. "Further, there has been no softening by either brand when it comes to larger Level 1 and 2 merchants."

Larger companies in particular face burdensome penalties that are becoming even more severe. Indeed, MasterCard has blurred the lines of Level 1 and Level 2 merchant compliance standards and penalties.

"MasterCard has unilaterally collapsed the requirements of Level 2 merchants to the more costly and stringent requirements of the largest Level 1 retailers," Taylor explained.

"Similarly, they have extended the larger fines for non-compliance. Before, a Level 2 merchant [around 150 convenience stores] could be fined $60,000 per year for non-compliance by each of Visa and MasterCard. After MasterCard’s changes, [they are] now liable for fines up to $375,000 per year...along with the increased cost of complying with the Level 1 mandates," he said.

These penalties are sufficient to mo­tivate action among all retailers, yet the hard costs of compliance are proving overwhelming.

"Several retailers have stated that the entirety of their IT budget is dedi­cated to simply complying with the PCI mandates — at the cost of postpon­ing other IT initiatives that improve operating performance," Taylor said. "Further, the technical and security knowledge required to become com­pliant, along with the estimated $20,000 per store cost, is recognized to be a huge challenge for the indus­try’s roughly 90,000 single-store op­erators who don’t have the resources to easily comply."

And all of this is compounded by the hardship of meeting what for many is an unreasonable compliance timeline.

"The card brands have driven dead­lines that are in most cases impossible to meet," said Drew Mize, vice presi­dent of product management and mar­keting at The Pinnacle Corporation.

"[The deadlines] have achieved noth­ing but continually erode [the indus­try’s] actually meeting their require­ments because [the card companies] constantly extend the deadlines and/or change the requirements before the pri­or set of requirements were met by any majority of retailers," Mize stated. "Re­tailers don’t really know where the goal­posts are so as a result we don’t act and wait for the posts to be moved again."

Turbo Tax Meets SAQ
Recognizing these challenges, NACS has invested significant effort on mak­ing compliance, especially for small re­tailers, meaningful, attainable and un­complicated.

The solution targets PCI’s Self As­sessment Questionnaire (SAQ), a vali­dation tool (which retailers complete annually and submit to their acquiring bank), that offers remediation guidance and best practices that ensure ongoing compliance.

While larger retailers are more ca­pable of bearing the costs of PCI com­pliance, smaller retailers have been hindered by complexities and costs, es­pecially in filling out the SAQ, which even for IT types can prove confusing.

"We have 93,000 Level 4 retailers — maybe even close to 105,000 — and fill­ing out the SAQs is like looking at the [IRS] 1040 long form," Taylor said. "I’ve gone through the SAQs and they’re challenging for me."

NACS approached several of the major oil companies at NACStech in May and made the case for a simplified, uniform solution — a TurboTax-like approach to the SAQ. The end result was announced in October at the NACS Show: NACS EZ PCI, which is a simpli­fied, interview-based software solu­tion for filling out PCI’s Self Assess­ment Questionnaire.

Offered exclusively in partnership with Coalfire Systems, a recognized leader in PCI assessment services, NACS EZ PCI guides retailers through the SAQ process step by step. With a price tag of $119, this is a significant savings from recruiting third-party IT assistance, and down significantly — nearly 80 percent — from the early vendor quotes that NACS received.

"We’ve gotten our costs down from $500 a unit for a 'one size fits all’ product to $119 for the compliance in­terview process that is specific to our industry and provides $50,000 of breach insurance; $149 including quarterly port scans to ensure hack­ers aren’t coming through the back door, which is great for small retailers who are breaking even," Taylor said. "The last thing a small retailer can do is pay thousands of dollars [for com­pliance efforts]."

The Pursuit of Uniformity
Ensuring that your company is PCI compliant is complex enough. Add to that evolving state regulations in the absence of federal guidance, and it’s no wonder the issue has many retailers gasping for relief.

To date, there is no federal law gov­erning PCI compliance. However, some states have taken the issue into their own hands with legislative ac­tion. In 2007, Minnesota passed the Plastic Card Security Act. Earlier this year, Nevada enacted its Security of Personal Information law. Massa­chusetts is actively pursuing its own data protection regulation (201 CMR 17.00). Collectively, these piecemeal standards have NACS payment indus­try experts uneasy.

"Regardless of how merchants feel about PCI, it is at least a single standard that applies to the entire U.S. region," said Jim Huguelet from The Huguelet Group LLC, an IT consulting firm. "If this trend [states passing individual laws] continues, it will represent per­haps the worst possible scenario for merchants, resulting in a patchwork of state laws around payment security."

The result for retailers would be compliance with possibly conflicting laws, a costly administrative nightmare that would lead NACS to pursuing fed­eral guidance.

"[A] single federal law that preempts the states might be the best possible outcome," said Huguelet, adding that it would allow NACS and the industry "to focus its education efforts into a sin­gle piece of legislation to make it as bal­anced as possible rather than having to try and do the same as part of dozens of individual states’ legislative processes."

Currently, a federal approach is not being pursued aggressively by NACS, with most of its efforts concentrated on PCI compliance and data security.

"Right now, [pursuing a federal law that consolidates state law] is a side issue that we’ve just started," said Taylor. "Quite frankly, the Depart­ment of Homeland Security isn’t sure that it wants to take on credit card se­curity despite the fact our president has said card security is a matter of 'national security’."


PCI compliance and data security are ongoing concerns, with standards that require constant reassessments based on evolving technologies.

Recognizing this, in September, NACS partnered with the Petroleum Convenience Alliance for Technology Standards (PCATS) to form the Data Security Standards Committee (DSSC), a group dedicated to addressing data security-related issues.

"Card companies and PCI have is­sued far reaching security mandates to retailers, intended to help secure consumer card and transaction data," said Alvin Fortson, PCATS Electronic Business-to-Business Committee chair and director of systems development of the Pantry Inc.

"As retailers, we share the goal of providing our customers a safe and se­cure card payment infrastructure. This committee will further this goal by providing concise, cost-effective solutions [as] needed for retailers of all sizes to reduce and eliminate security risks, " he said.

What’s At Stake?
More significant for NACS members is not just PCI compliance, but data secu­rity. For as the Heartland breach illus­trates (see sidebar on page 38), validat­ed compliance does not equate with foolproof data security, and those suf­fering breaches cannot count on the card companies to stand in their cor­ner. And in such a case, the most bur­densome costs to retailers quickly come to bear.

"If there’s a data breach and card numbers are lost with the security codes, the chance for fraud is almost 100 percent," said Rick Dakin, CEO of Coalfire. "And the [PCI] fines are the smallest part of it. It’s all the charge-backs, the reissuing of cards that af­fects retailers."

The costs — both immediate and long-term — can be staggering.

"Losing just 10,000 cardholder re­cords will cost a retailer nearly $925,000 between fines, penalties, in­creased [and] instant audit needs," Pin­nacle’s Mize explained. "[T]here just aren’t that many retailers that can af­ford this...not to mention a complete de­struction of reputation."

The bottom line for operations can be catastrophic and swift.

"Most of the merchants that we sup­port suffer such a severe financial im­pact after a breach that 50 percent do not exist one year later," Dakin said.

Ongoing Pursuit
Perhaps the biggest frustration with data security lies in its open-ended pur­suit. Unlike interchange fees, which could be addressed with legislation, data security is and will always be an ongoing battle, an interminable cat-and-mouse chase that will forever re­sist closure.

"Cyber-security is here to stay. It’s not so much PCI or government regula­tions; there’s a mega-trend occurring, that we’re much, much more reliant on our data systems," Dakin explained.

"Smaller merchants — they’re just doing so many things every day, it’s much more troubling. That’s why they join NACS, they don’t have time to have these specialized IT departments... somebody must be thinking in broad terms. And NACS is."

It’s a committed effort, and one that continues to pay dividends for members.

"NACS [is leveraging] the combined buying power of many small operators to lower service costs and create easy-to-follow programs that facilitate compliance — just like it did with Card Processing Program," Taylor said. "Additionally, [the association contin­ues] to educate the industry on how to become compliant as well as advocate within the PCI organization, card brands and regulators for a rational ap­proach to achieving data security with­in our complex retail segment."

However, despite all of the efforts of NACS, data security still ultimately rests with its members.

"NACS and PCATS can’t get retail­ers compliant, that’s up to them," Tay­lor said. "We can only facilitate the process."

Jerry Soverinsky is a freelance writer living in Chicago. He’s also a NACS Magazine and NACS Daily contributing writer.


Remember Heartland?
In January 2009, Heartland Payment Systems, a credit card proces­sor, announced that "malicious software" had breached its pro­cessing system in 2008. Reports called the breach the largest card data theft ever and estimated that up to 100 million cards had been compromised.

However, as a credit card processor, Heartland was subject to some of the most stringent data security standards, and during its most recent audit prior to the reported breach and as reported by Visa, it had successfully passed its assessment.