Now that retailers have reached PCI DSS 2.0 compliance, it’s important to continue monitoring people, processes and technology to protect against breaches.
By Erin Rigik, Associate Editor.
If your chain is among those who diligently worked to achieve PCI DSS 2.0 compliance by the Jan. 1, 2012 deadline, you probably think your stores are safe from breaches, but experts warn that true security requires consistent awareness, even between deadlines.
The Cost of Security
A PCATS survey shows the average c-store with POS equipment upgrade depreciation/amortization, is spending about $9,300 per year to be compliant. And yet despite these major upgrades security issues continue and processing fees remain high.
“Virtually every store in our market has had to shell out at least $3,000 just to upgrade POS equipment—some have had to totally replace their POS at $20,000 plus,” noted Gray Taylor, executive director of PCATS. “My estimate is closer to $1.3 billion to upgrade to PCI —and that does NOT include the cost of upgrading dispenser PIN pads to be compliant with Visa’s mandates.”
But card brands aren’t about to lower processing rates in return for compliance. “As monopolies, they are free to charge whatever they want for interchange, and similarly to spend any amount of merchant dollars to get compliance,” Taylor said.
The industry may not be seeing the cost reduction intended by Durbin, but NACS is appreciative that something was done.
“Our industry is getting significant relief. Even after the Fed did a complete turnaround on its own staff analysis in the final rule, we estimate, at present fuel prices, an industry cost reduction of just under $500 million for 2011. Some good evidence of this is that virtually every major oil brand has reduced their card costs to marketers to reflect this savings,” Taylor said. “The cost reduction goes away pretty quickly as fuel prices fall, however.”
NACS is working closely with the Fed to demonstrate the impact points of the final ruling, and has joined with merchants from other industries to institute legal action against the Fed for not following the letter and intent of the Amendment.
“Under the original Fed staff recommendation, we estimated the industry would have had an additional cost savings of around $1 billion. So our industry is very curious as to what happened between the Fed’s staff recommendation and the final rule,” Taylor said. “NACS and other retail associations are in this fight for the long haul and will continue to pressure regulators to reduce card payments price fixing.”
Meeting the Deadline
Meanwhile, retailers are working to stay compliant to keep big fines caused by breaches away.
C.N. Brown, which owns and operates 82 Big Apple Food Stores, in Maine, New Hampshire and Vermont, was ready for the Jan 1, compliance mandate. But, President Jinger Duryea, wondered how some of her competitors would fair against the deadline.
“I know the effort and energy it took to get all of our stores ready for this. And I just really wonder who else was able to get there on time.”
After spending the time and money to reach the deadline, Duryea also hopes the deadline won’t be moved, as has been known to happen in the past.
“There are a lot of people in our industry who do an awesome job in knowing what the laws are and complying with them. In doing so, these operators are not on equal footing with those that they compete with who have not spent the money or the time on PCI,” Duryea said. “It’s not fair for those who have to hold back on investing in other areas in order to meet PCI demands. In some cases these chains are sacrificing opening a new store and the revenue that would bring because they’re trying to get PCI compliant, and then have to compete on the street with other chains that are blatantly not preparing or getting ready for this PCI investment.”
In the states where Big Apple Food Stores operate, the larger c-store chains also tend to be the ones the enforcement agencies go after and not the smaller operators who are betting on the fact that agencies won’t be visiting them anytime soon. “Regulatory agencies need to strive to implement their regulations across the board,” Duryea noted.
But those who fail to implement the standards are more likely to experience a breach and if a breach occurs it wouldn’t just result in fines for a small chain, but it would likely put them out of business.
“The costs of recovering from a breach are infinitely more than any costs you’re paying to become compliant or to take credit cards,” noted Bob Russo, general manager, PCI Security Standards Council (SSC).
Vigilance is Key
But even with new standards in place, retailers still need to remain vigilant against a breach.
“Nothing is foolproof, but the best defense convenience stores, or any merchant for that matter, will have against a breach are these standards,” Russo said. “PCI is a very good baseline. But retailers have to remain attentive. PCI is something you have to maintain on a regular basis—you can’t do it once and forget about it.”
And that is where most retailers find themselves in hot water. One way to keep your chain in the clear is to remember that maintaining compliance year-round falls under three key areas: people, process and technology.
“If there was something out there you could just buy to make you bullet proof that would be wonderful, but unfortunately that does not exist, so until it does exist—and there is no doubt in my mind that at some point in the future we probably will reach that point—until then you really have to be vigilant and look at these standards as your best bet against having a breach and stay on top of what needs to be done,” Russo said.
Achieving PCI compliance, Russo explained, is a lot like putting the deadlock bolts on your doors, but security is making sure you lock them everyday before you leave the house.
Now that the PCI deadline has passed, PCI SSC has entered a formal feedback period and is encouraging its participants to fill out an online form to help improve the standards.
“If you’re not a part of the council, you can submit questions and suggestions and we compile this feedback over a six month period and look to see where we need to make updates, clarifications and additional guidance based on the feedback. We also have special interest groups that have been elected. So you can volunteer to be on one of those to help us make these standards better,” Russo said. “Our actual lifeline is the merchants who are the ones that see, on a regular basis, people trying to steal this data and can tell us the areas where we really need to concentrate.”