NACStech Tackles Industry Challenges
By Tammy Mastroberte
Back in Grapevine, Texas, this year, the 2008 NACStech conference didn't hold back when it came to addressing the c-store industry's biggest issues -- gas prices, credit card fees, labor, theft and the ever-hovering deadline of PCI compliance.
During the opening general session, Jenny Bullard, conference chair and CIO of Flash Foods Inc., located in Waycoss, Ga., took attendees back in time to when NACStech started 13 years ago, and the average gas fill-up was $9.92.
"Customers could come into the store, pay with a $10 bill and actually get change," Bullard joked. "Now, they would get less than three gallons of gas with that $10 bill."
She noted that 13 years ago, the competition from other retail channels was not as prevalent and the industry did not face the same challenges it does today, particularly with credit card fees. However, thanks to technology and the industry's standards body, PCATS (The Petroleum and Convenience Alliance for Technology Standards), productivity and profits are being increased, she explained.
The first day of workshops jumped right into top-of-mind issues, with sessions on topics including mobile commerce, loyalty programs, incorporating technology into category management and utilizing store data to reduce theft.
During the session called "Reducing Store Theft Using POS Data," attendees learned how two retailers mine and utilize their point-of-sale (POS) data to alert management about potential theft issues. Donna Perkins, who is in charge of POS and pricebook at E-Z Stop Food Marts Inc., a 22-store chain in east Tennessee, uses 11 Gilbarco G-Sites and 11 Gilbarco Passport POS systems in conjunction with DVR cameras linked to the company's wide-area network (WAN).
"Our WAN is self-installed and self-managed, and our process for polling the POS for security is also self-written and self-managed," she said, explaining retailers do not need to invest in what can be expensive pre-packaged programs.
E-Z Stop's back office pulls no sales, voids, returns and more from the POS scan data and tracks them along with transactions under $10 and unknown UPC's, which are e-mailed to the pricebook daily and any suspicious activity is reported to the store supervisors, she said.
"We installed our first store at 7:15 a.m. and caught our first thief at 9:00 a.m. after seeing two voids for $19.99," Perkins noted. The company also posts pictures of any external thief to its Intranet so employees can see them.
A typical alert will show the scan code, price of the item, cashier and transaction number, date and time, all in real-time from the Passport system, said Perkins. The alerts come from the POS, and "we can go into the DVR, put in the transaction time and look to see what was going on," she said. "We can even search for all beer sales with our DVR."
Parker Cos. COO Amy Lane detailed a similar process using Dresser Wayne's InSite at her 26-store chain in southeast Georgia, citing the national average for shrink is 1.1 percent, but since implementing new procedures, her company shrink was just under a one-half percent the month prior.
"We track for employees violating our safe-drop policy, which is not having more than $200 in the drawer at any time," said Lane. "We had one cashier dropping $800, and we also track low or zero safe drops."
PCI Compliance
Whether attending a session, walking down the hall during a coffee break or visiting a vendor booth on the show floor, conversations on PCI compliance could be overheard.
In a session called "Achieving Certified PCI Compliance?" a standing-room-only crowd huddled together to listen as retailers and industry experts gave advice on how to achieve compliance as well as the dangers of non-compliance.
Barrie VanBrackle, a corporate and finance lawyer and partner at Manatt, Phelps and Phillips LLC, who deals with merchant payment agreements daily, noted if a non-compliant retailer is caught, Visa and MasterCard issue fines and penalties, and the merchant agreement will be terminated. Also, the retailer will be put on a MATCH list showing non-compliance termination -- and it is "very difficult to get a merchant agreement after being on this list," she said.
The place to start in achieving PCI compliance is getting the support of management, and explaining to them the importance of compliance.
"You need to get your executive team to understand the importance of PCI," Lynn Call, president and CIO at Maverik Inc., explained to attendees. "It really is security 101, and we all should be doing it. If we have a breach, it will cost more than the fines from Visa."
The keys to achieving compliance are knowledge, communication, prioritization and realizing it's an ongoing process, George Medairy, director of corporate Information Technology at Sheetz Inc., told attendees.
Retailers need to know their systems and put the boundaries around them, he said. They also need to follow the data to see where it goes in their systems and follow the regulations set by Visa and MasterCard. It's also important to find the right auditor, he added.
"The biggest thing for us was choosing an auditor because there are so many people in the space now," Medairy said. "We wanted someone who had experience with convenience stores, and who would go to Visa and fight for us."
He also told retailers to purge any data not needed and encrypt the rest. "When in doubt encrypt it all," he noted. "If it's encrypted you are not at risk. If you don't need it, don't store it, and if you store it, encrypt it."
Furthermore, retailers need to understand PCI compliance is "not a part-time job," Medairy warned. Sheetz has three people dedicated to PCI compliance on its IT team, and "it's still not enough," he said. "We still need to augment it with consultants. You cannot afford to fall out of compliance after spending time and money to get there."
Back in Grapevine, Texas, this year, the 2008 NACStech conference didn't hold back when it came to addressing the c-store industry's biggest issues -- gas prices, credit card fees, labor, theft and the ever-hovering deadline of PCI compliance.
During the opening general session, Jenny Bullard, conference chair and CIO of Flash Foods Inc., located in Waycoss, Ga., took attendees back in time to when NACStech started 13 years ago, and the average gas fill-up was $9.92.
"Customers could come into the store, pay with a $10 bill and actually get change," Bullard joked. "Now, they would get less than three gallons of gas with that $10 bill."
She noted that 13 years ago, the competition from other retail channels was not as prevalent and the industry did not face the same challenges it does today, particularly with credit card fees. However, thanks to technology and the industry's standards body, PCATS (The Petroleum and Convenience Alliance for Technology Standards), productivity and profits are being increased, she explained.
The first day of workshops jumped right into top-of-mind issues, with sessions on topics including mobile commerce, loyalty programs, incorporating technology into category management and utilizing store data to reduce theft.
During the session called "Reducing Store Theft Using POS Data," attendees learned how two retailers mine and utilize their point-of-sale (POS) data to alert management about potential theft issues. Donna Perkins, who is in charge of POS and pricebook at E-Z Stop Food Marts Inc., a 22-store chain in east Tennessee, uses 11 Gilbarco G-Sites and 11 Gilbarco Passport POS systems in conjunction with DVR cameras linked to the company's wide-area network (WAN).
"Our WAN is self-installed and self-managed, and our process for polling the POS for security is also self-written and self-managed," she said, explaining retailers do not need to invest in what can be expensive pre-packaged programs.
E-Z Stop's back office pulls no sales, voids, returns and more from the POS scan data and tracks them along with transactions under $10 and unknown UPC's, which are e-mailed to the pricebook daily and any suspicious activity is reported to the store supervisors, she said.
"We installed our first store at 7:15 a.m. and caught our first thief at 9:00 a.m. after seeing two voids for $19.99," Perkins noted. The company also posts pictures of any external thief to its Intranet so employees can see them.
A typical alert will show the scan code, price of the item, cashier and transaction number, date and time, all in real-time from the Passport system, said Perkins. The alerts come from the POS, and "we can go into the DVR, put in the transaction time and look to see what was going on," she said. "We can even search for all beer sales with our DVR."
Parker Cos. COO Amy Lane detailed a similar process using Dresser Wayne's InSite at her 26-store chain in southeast Georgia, citing the national average for shrink is 1.1 percent, but since implementing new procedures, her company shrink was just under a one-half percent the month prior.
"We track for employees violating our safe-drop policy, which is not having more than $200 in the drawer at any time," said Lane. "We had one cashier dropping $800, and we also track low or zero safe drops."
PCI Compliance
Whether attending a session, walking down the hall during a coffee break or visiting a vendor booth on the show floor, conversations on PCI compliance could be overheard.
In a session called "Achieving Certified PCI Compliance?" a standing-room-only crowd huddled together to listen as retailers and industry experts gave advice on how to achieve compliance as well as the dangers of non-compliance.
Barrie VanBrackle, a corporate and finance lawyer and partner at Manatt, Phelps and Phillips LLC, who deals with merchant payment agreements daily, noted if a non-compliant retailer is caught, Visa and MasterCard issue fines and penalties, and the merchant agreement will be terminated. Also, the retailer will be put on a MATCH list showing non-compliance termination -- and it is "very difficult to get a merchant agreement after being on this list," she said.
The place to start in achieving PCI compliance is getting the support of management, and explaining to them the importance of compliance.
"You need to get your executive team to understand the importance of PCI," Lynn Call, president and CIO at Maverik Inc., explained to attendees. "It really is security 101, and we all should be doing it. If we have a breach, it will cost more than the fines from Visa."
The keys to achieving compliance are knowledge, communication, prioritization and realizing it's an ongoing process, George Medairy, director of corporate Information Technology at Sheetz Inc., told attendees.
Retailers need to know their systems and put the boundaries around them, he said. They also need to follow the data to see where it goes in their systems and follow the regulations set by Visa and MasterCard. It's also important to find the right auditor, he added.
"The biggest thing for us was choosing an auditor because there are so many people in the space now," Medairy said. "We wanted someone who had experience with convenience stores, and who would go to Visa and fight for us."
He also told retailers to purge any data not needed and encrypt the rest. "When in doubt encrypt it all," he noted. "If it's encrypted you are not at risk. If you don't need it, don't store it, and if you store it, encrypt it."
Furthermore, retailers need to understand PCI compliance is "not a part-time job," Medairy warned. Sheetz has three people dedicated to PCI compliance on its IT team, and "it's still not enough," he said. "We still need to augment it with consultants. You cannot afford to fall out of compliance after spending time and money to get there."