NACS, PCATS Seek PCI Special Interest Group to Focus on Small Merchants
ALEXANDRIA, Va. -- NACS, the Association for Convenience & Fuel Retailing, and the Petroleum Convenience Alliance for Technology Standards (PCATS) are hoping to make it easier for smaller retailers to understand payment card industry (PCI) requirements.
The two trade organizations co-submitted a proposal to the PCI Security Standards Council to create a special interest group (SIG) that will focus on the inability of small merchants to realistically reduce card data risk and therefore comply with mandated specifications for card data security.
"Current PCI mandates are an impossible science project for our average retailer," said Michael Davis, vice president of member services at NACS. "Almost 5 million small and independent retailers out there have very little idea on what to do and even if they do, can’t implement the full scope of the mandates — this includes more than 90,000 convenience stores."
Davis said the Data Security Committee at PCATS has effectively tackled this issue with its risk mitigation guides and interaction with card brands, and created a program all retailers can embrace. "If we can get this SIG approved, we will finally have a structured forum for our members at PCI," he noted.
PCATS has already circulated its "We Care" program of eight steps to card data risk reduction to several trade groups. However, PCATS and NACS — both based in Alexandria — believe more must be done to help small merchants.
"Through our work at the Data Security Committee, we quickly realized that our channel business structure mirrored many other channels, where brands and franchises are comprised mainly of entrepreneurs and small operators," said Phil Schwartz, chairman of the Data Security Committee and manager of information systems at Valero Payment Services Co. "These channel models make compliance virtually impossible to achieve, so we have focused on risk reduction as primary over compliance. Our approach with the 'We Care' program is that if you don’t get breached, compliance really isn’t an issue, but we need to get that recognized as sufficient by PCI."
The proposal was submitted on July 25 and must still be ratified by the PCI Security Standards Council.