PCI Compliance: NACStech's Hot Topic
By Tammy Mastroberte
The second day of NACStech saw retailers flocking to educational sessions on a variety of topics including loyalty programs, alternative payment methods and more. There were tracks dedicated to PCATS and its progress in the convenience store industry regarding standards, as well as the hot topic of the show -- PCI Compliance.
In a session called "Achieving Certified PCI Compliance?" a standing-room only crowd huddled together to listen as retailers and industry experts gave advice on how to go about achieving compliance and the dangers of non-compliance.
Barrie VanBrackle, a corporate and finance lawyer and partner at Manatt, Phelps and Phillips LLC, who deals with merchant payment agreements daily, explained that if a retailer is caught in non-compliance, Visa and MasterCard will not only issue fines and penalties, but the merchant agreement will be terminated and the retailer will be put on a MATCH list showing non-compliance termination, which is "very difficult to get a merchant agreement after being on this list," she said.
VanBrackle explained that some retailers may not even realize they are capturing and storing data that puts them at risk. She cited an example in the restaurant industry of one chain that wanted to capture birthday information for marketing purposes and didn't realize in doing so they were also storing credit card data. After a data breach, they had to file bankruptcy because of the fines, she said.
The place to start for many retailers is getting the support of management, and explaining to them the importance of compliance. "You need to get your executive team to understand the importance of PCI," Lynn Call, president and CIO at Maverik Inc., explained to attendees, noting it took time at his company to explain what they were facing if they were not compliant. "It really is security 101, and we all should be doing it. If we have a breach, it will cost more than the fines from Visa."
The keys to achieving compliance are knowledge, communication, prioritization and realizing it's an ongoing process, George Medairy, director of corporate IT at Sheetz Inc. told attendees.
Retailers need to know their systems and put the boundaries around them, Medairy said. They need to follow the data to see where it goes in the systems and follow the regulations set by Visa and MasterCard. It's also important to find the right auditor.
"The biggest thing for us was choosing an auditor because there are so many people in the space now," Medairy noted. "We wanted someone who had experience with convenience stores. It was also important for us to find someone we could challenge and that would challenge us back, and who would go to Visa and fight for us."
He also told retailers to purge any data not needed and encrypt the rest. "When in doubt encrypt it all," he said. "If it's encrypted you are not at risk. If you don't need it, don't store it, and if you store it, encrypt it."
This is also the approach Maverick took when tackling PCI compliance. Call spoke about his company's process that started by "narrowing the scope," and purging all prohibited credit card data from the network.
Furthermore, retailers need to understand that PCI compliance is "not a part-time job," Medairy warned. Sheetz has three people dedicated to PCI compliance on its IT team, and "it's still not enough," he said. "We still need to augment it with consultants."
Maverick also went through an extensive analysis to find its weaknesses and identify areas where the company would need help. Call recommended retailers assign a project manager and assemble a team to work on PCI compliance, including representatives from all areas of the company. He also urged retailers to create partnerships with their audit firm and schedule weekly meetings with them.
Additionally, once a retailer reaches compliance, the process is not over. It is ongoing and something that needs to be a priority, said Medairy.
"You cannot afford to fall out of compliance after spending time and money to get there," he said.
The second day of NACStech saw retailers flocking to educational sessions on a variety of topics including loyalty programs, alternative payment methods and more. There were tracks dedicated to PCATS and its progress in the convenience store industry regarding standards, as well as the hot topic of the show -- PCI Compliance.
In a session called "Achieving Certified PCI Compliance?" a standing-room only crowd huddled together to listen as retailers and industry experts gave advice on how to go about achieving compliance and the dangers of non-compliance.
Barrie VanBrackle, a corporate and finance lawyer and partner at Manatt, Phelps and Phillips LLC, who deals with merchant payment agreements daily, explained that if a retailer is caught in non-compliance, Visa and MasterCard will not only issue fines and penalties, but the merchant agreement will be terminated and the retailer will be put on a MATCH list showing non-compliance termination, which is "very difficult to get a merchant agreement after being on this list," she said.
VanBrackle explained that some retailers may not even realize they are capturing and storing data that puts them at risk. She cited an example in the restaurant industry of one chain that wanted to capture birthday information for marketing purposes and didn't realize in doing so they were also storing credit card data. After a data breach, they had to file bankruptcy because of the fines, she said.
The place to start for many retailers is getting the support of management, and explaining to them the importance of compliance. "You need to get your executive team to understand the importance of PCI," Lynn Call, president and CIO at Maverik Inc., explained to attendees, noting it took time at his company to explain what they were facing if they were not compliant. "It really is security 101, and we all should be doing it. If we have a breach, it will cost more than the fines from Visa."
The keys to achieving compliance are knowledge, communication, prioritization and realizing it's an ongoing process, George Medairy, director of corporate IT at Sheetz Inc. told attendees.
Retailers need to know their systems and put the boundaries around them, Medairy said. They need to follow the data to see where it goes in the systems and follow the regulations set by Visa and MasterCard. It's also important to find the right auditor.
"The biggest thing for us was choosing an auditor because there are so many people in the space now," Medairy noted. "We wanted someone who had experience with convenience stores. It was also important for us to find someone we could challenge and that would challenge us back, and who would go to Visa and fight for us."
He also told retailers to purge any data not needed and encrypt the rest. "When in doubt encrypt it all," he said. "If it's encrypted you are not at risk. If you don't need it, don't store it, and if you store it, encrypt it."
This is also the approach Maverick took when tackling PCI compliance. Call spoke about his company's process that started by "narrowing the scope," and purging all prohibited credit card data from the network.
Furthermore, retailers need to understand that PCI compliance is "not a part-time job," Medairy warned. Sheetz has three people dedicated to PCI compliance on its IT team, and "it's still not enough," he said. "We still need to augment it with consultants."
Maverick also went through an extensive analysis to find its weaknesses and identify areas where the company would need help. Call recommended retailers assign a project manager and assemble a team to work on PCI compliance, including representatives from all areas of the company. He also urged retailers to create partnerships with their audit firm and schedule weekly meetings with them.
Additionally, once a retailer reaches compliance, the process is not over. It is ongoing and something that needs to be a priority, said Medairy.
"You cannot afford to fall out of compliance after spending time and money to get there," he said.