"If we want to continue to take debit, we have to put in new PIN pads in addition to the point-of-sale system, and that's going to be very expensive, too," Friend, president [image-nocss] of 12-store Peters Fuel Corp., Oakland, Md., told CSP Daily News. "New PIN pads vs. new pumpswe're weighing that decision in our locations right now.... At some locations, we're rural and low volume, so [going cash-only] is a consideration.
"The truth of the matter is that bad people have brought this upon us, and it has created a lot of expense to the business world directly and to the consumer indirectly, and it's being paid with our money, time and tears."
Some industry experts put the investment in hardware needed for a retailer to become PCI-compliant at $10,000 to $20,000 per site, although downtime for software and equipment installations, training costs and other related expenses also must be factored in to reach a more accurate figure. Either way, the costs of becoming compliant are certainly substantial, but the costs to a noncompliant retailer whose transaction data gets compromised could be crippling in terms of fines and other financial pains, if not "a business killer," as one equipment supplier termed it.
Even so, whereas some retailers have chosen to spend the thousands or even millions of dollars to become compliant with the first phase of PCI mandates, others are struggling with the decision to change how they do business, simply ignore the deadline or, in some cases, shutter their stores.
"I wouldn't be surprised if a lot of smaller operators don't make the investment," said Lance Odermat, general counsel of Car Wash Enterprises Inc., Seattle. "Maybe they'll just turn over the keys to their station."
Car Wash Enterprises has 46 Brown Bear and Bubble Machine locations in the Pacific Northwest, including 20 gas stations, some standalone car washes and several combination sites. A more complex sitegasoline pumps, c-store, car wash, etc.means the greater potential for increased costs, according to company CFO Steve Palmer.
"I think for the most part it's a cost you have to eat, a cost of doing business," he said. "There may be certain changes where we're going to change what we're doing, but we're not going to roll the dice and say, 'We're not going to be compliant.' If we have to spend $100,000 in one instance but we can save that money by changing how we do things and still provide the same service and quality, we'll make that change."
This slow march toward enhanced data security began in 2004, when the credit-card companies launched an effort to rein in identity theft. The current mandate represents what is quite possibly the largest overhaul of industry equipment since the underground-storage-tank regulations of the early 1990s. This one, however, involves hundreds of thousands of moving pieces, from POS systems and PIN pads to every pay-at-the-pump fuel dispenser coast to coast. And, to retailers' great discontent, the July 1 date is merely the first salvo of what will likely be a long and costly campaign.
Morristown, Tenn.-based Rogers Petroleum, which operates 20 Zoomerz convenience stores, figures to spend more than a half-million dollars converting noncompliant G-SITE POS systems to new Gilbarco Passports. Although the POS systems are a virtual necessity to meet the mandate, the company is mulling whether or not to change out the gasoline-pump PIN pads and stop accepting debit as a viable customer payment option, according to Scott Matherly, the company's vice president of IT. He knows of many other equally frustrated retailers who are considering the same approach.
"Our margins keep shrinking on the gallons, and it seems like the credit-card companies are making more off gas than we are, but now we have to foot the bill for PCI," he said. "What happens next when we find out the hackers broke the [triple] encryption? That's the fault of the petroleum companies? I don't think so, and that's where it's hard to swallow. We're basically paying for someone else's R&D."
[For more on data security, watch for the May cover feature in CSP magazine. Angel Abcede, CSP's veteran technology reporter, has also opened a technology discussion group on MyCStoreWorld.com called C-TechGroup and will post messages from NACStech on Twitter under the screen name CSPAngelABC. All topics will be up for dialogue.]
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.