CHICAGO -- Mandates to comply with upcoming deadlines for Payment Card Industry (PCI) data security standards had several single-store and multi-site operators raising concerns at a workshop session this weekend at the NACS convention and trade show.
"I've got a single store, DSL [digital subscriber line]…and I get a notice that in 60 days, [my point-of-sale] will no longer be supported," said Robert Lamb, vice president, Pinedale Food Mart, New Bern, N.C. "I feel like hanging a sign on the door saying 'Please put your credit card in the trash before you enter.'"
Lamb [image-nocss] was one of about 80 conference attendees at a conference workshop on PCI compliance. Panelists said he was not alone in voicing concern and frustration, especially for the one-to-10 store operator that may not have the resources to carry out mandates put forth by San Francisco-based credit card giant Visa.
Panelist Karl Goodhouse, president of Clark Brands LLC, Naperville, Ill., said that since the major breach of information that occurred with retailer T.J. Maxx, Framingham, Mass., a over a year ago, scrutiny has moved to other retail industries and down to even the single-store level. "Before the focus was on the [larger chains] like the Wal-Marts of the world," he said. "But it came at us like a freight train and the speed caught us all off guard."
The compliance deadlines have been coming up steadily for the past year and a half, with many of the larger chains already having to meet certain standards. Retailers with fewer transactions are seeing their deadlines coming up next year and in 2010.
Unfortunately, while requirements are less stringent on smaller operators, that same small business could go from a lower-level classification to the highest "Level 1" scrutiny if a breach occurs. In addition to becoming subject to more stringent requirements, Chris Wolff, vice president of alternative product sales for Cybera Inc., Nashville, Tenn., said subsequent fines could range into the $100,000-$200,000 range—numbers that could put an operator out of business.
Data thieves can strike in ways both benign and inventive. Panelists spoke of tactics ranging from restaurant employees who have put "skimming" devices on credit-card swipes to thieves planting devices on satellite dishes to capture customer information.
Andrew Robinson, global product manager for Gilbarco Veeder-Root, Greensboro, N.C., said in the case of satellites, oftentimes the clue is detecting downtime. "If a door is left open in your store, you close the door, but you also ask the question of why the door was opened, who opened it and how you can keep it from happening again," he said. "Similarly with downtime, you then have to ask [data] security questions like, 'Did come into my [computer system]?'"
Other panelists clarified that data breaches can happen when a system is up and running, but Robinson added that downtime can be a red flag.
Addressing the frustrations of c-store owners currently using legacy POS devices that will soon become non-compliant with PCI, Lisa Stewart, president of Impact 21 Group LLC, Lexington, Ky., said, that industry representation within the PCI rule-making process is actively addressing operator concerns, but ultimately, "PCI security is an ever-evolving process and as hackers get more sophisticated, [so must] the devices."
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.