A baker puts two muffins in an oven. The first muffin turns to the other and says,
“Boy it’s hot in here.” The second muffin screams, “Yikes, a talking muffin.”
Hopefully convenience store chains are not nearly this surprised when it comes to this month’s PCI deadlines. However, at the NACStech conference in April, several retailers and technology suppliers told me privately that as much as 50% of the industry might not be PCI compliant. That is a staggering number given the amount of attention this issue has received over the past three or so years.
Confusion still reigns supreme when it comes to PCI, which is somewhat expected because compliance is a complicated topic. But the bottom line is whether you operate one store or 100, if a PCI-related breach occurs, and the theft originated from one of your systems, it’s you who will pay the fines and ongoing penalties, said Drew Mize, Vice President of Product Management and Marketing at The Pinnacle Corp.
Plus, at some point your processor could take you off the network completely if you aren’t processing cards on a secure network that meets compliance standards. It is up to each retailer to do research and understand PCI and surrounding requirements.
Dispelling the Myths
Among the common PCI myths with c-store retailers is that a chain’s technology provider will make the necessary steps to make its stores complaint. “Nothing could be further from the truth. Your technology provider is a good source for information, but should not be thought of as the magic cure. Any technology provider that has gone through a formal PCI audit for the technology it is selling should have at least one certified PCI auditor it can recommend to you. If it can’t do this, start asking the hard questions. You pay the fines and penalties if a breach occurs, not your technology provider,” Mize said.
The point-of-sale solution is a central component to payment transactions, but a whole slew of other devices must be considered. “Dispenser card readers, ATMs, PIN pads, routers, firewalls, wireless networks and the USB port on your back-office PC are among some of the devices required to pass a compliance audit. And don’t forget about the home office: databases, LANs, WANs and even the box of credit card numbers that accounting has on their desk for local accounts,” Mize said. All are subject to compliance standards.
Even though the June 30 deadline is just days away, Visa and MasterCard indicated they would hold off on fines until 2012, but if you are breached during this grace period you will be subject to fines and damages, not to mention the negative publicity. While the cost of compliance is difficult for some chains to absorb in these difficult economic times, Mize warned the cost of noncompliance is far more severe. A single breach could quickly bankrupt a chain.
Imagine a credit card database is hacked at a 50-store chain and 500 card numbers are stolen (an extremely conservative estimate), and each one rings up $1,000 in fraudulent charges. The damages alone will be $500,000. In the event of a serious security breach, fines of up to $500,000 can be levied for each instance of noncompliance. That puts the fine alone at $250 million. Though it seems unfathomable that Visa or MasterCard would try to get that much from a 50-store chain, do you really want to find out? Now do the math if you have 100 stores or 500 stores.
Greg Ehrlich, chief operating officer at Certified Oil in Columbus, Ohio, has been working to make his 81 company-owned stores—in addition to assisting the brand’s 70 or so dealer sites—compliant for the past two years. He believes that after all the effort put forth by the credit card companies to combat card fraud, they are going to be looking to make an example of someone. “It will not be Certified Oil,” he confided confidently.
Make sure it isn’t you.