Twitter Me This: Whither PCI?

NACS/CSNews CIO Roundtable participants discuss credit card security compliance, online social networks, self-checkout, loyalty programs, mobile marketing and other technology issues

Complying with Payment Card Industry (PCI) standards and figuring out how to make the best use of online social networks were two hot button topics at this year's NACS/Convenience Store News CIO Roundtable.

While most of the retailer attendees noted their companies were up-to-date with all PCI compliance issues, they also agreed with one participant, Jenny Bullard, CIO at 170-plus-store Flash Foods, who noted "PCI is never complete. It's a journey." The Georgia-based company is in its third year as a Level 1 Merchant. "It doesn't get any easier," she added.

"PCI is a big challenge," agreed Charles Jarrett, director of retail IT for Murphy Oil Corp., a big target because of its high profile in the parking lots of Walmart stores.

Michael Davis, vice president of member services for NACS, added becoming PCI compliant and doing so at a reasonable cost is one of the biggest concerns of NACS members.

"Although the number of merchants moving toward compliance is growing rapidly, a large percentage of the industry is not yet PCI compliant," agreed James Kelly, project manager for security and compliance at Gilbarco Veeder-Root.

"The challenge for retailers and manufacturers is that the mandates for compliance continue to evolve as the threats evolve," said Mark Williams, marketing manager of payment security for Gilbarco Veeder-Root. "It is important that retailers regularly review their PCI compliance status with their acquirers and use resources such as NACS to stay up to date on requirements."

But what's the most cost-effective way to become PCI compliant?

"It's a continuing effort at Quick Chek to look for ways to reduce PCI scope and risk," according to Maria Fidelibus, vice president of IT for the New Jersey-based convenience store chain.

CHS Corp./Cenex had a Level 1 audit coming up in three weeks from the roundtable, according to Roger Tripp, product and development manager. Adding to the complexity of compliance is that the Cenex network of corporate and independent stores supports six different point-of-sale (POS) terminals, said Tripp. Another issue impacting CHS is compliance to meet the new Credit Card Act governing gift cards because his company operates stores in 28 states and they all have different rules pertaining to expiration dates, dormancy fees and dealing with unclaimed balances.

Only a handful of the retailers at the roundtable are looking at tokenization as a way to enhance data security and limit the scope of PCI compliance at their companies. Tokenization is a technology that intercepts card information at the POS terminal and replaces cardholder data with randomly generated proxy numbers, or tokens, making it nearly impossible for a hacker to reassemble it through decryption or reverse engineering.

The real data then resides at a third-party data facility, where it is scattered across multiple locations. In theory, tokenization protects cardholder data from hackers and its implementation could simplify requirements of the PCI DSS since the systems that no longer store the sensitive data are removed from the scope of the PCI audit. However, tokenization is only a piece of the PCI solution, noted Davis.

"Tokenization only addresses a small portion of the data security problem. NACS and PCATS have a Data Security Committee that is looking at developing a complete solution, such as end-to-end encryption," he said.

Hand-in-hand with PCI compliance, retailers are also spending technology dollars in an attempt to reduce the huge swipe fees they pay to credit card companies and banks. Interchange fees are the third largest store-level operating expense for retailers, following labor and rent.

Flash Foods has seen some success controlling skyrocketing credit card transaction fees since the launch of its Go Blue ACH-based payment card, which has also enhanced its five-year-old Rewards in a Flash loyalty program and enabled the retailer to compete better against coalition programs, according to Bullard. Coalition programs are gasoline discount programs in which a supermarket partners with a fuel retailer. The Go Blue program continues to be a success for Flash Foods. The retailer recently increased the gasoline discount on the card from 3 cents to 5 cents a gallon and "we've had a 100-percent increase in sign-ups in the last two weeks," said Bullard. This summer, the company plans to add a lot of new giveaways to its loyalty program. "Marketing has to drive the loyalty program and we've been lucky that they do," she said. Flash is also participating in a coalition program at some of its Shell-branded stations.

Coalition programs are gaining a lot of attention among c-store retailers. Tom Colbert, director of IT at Kwik Trip, said the Wisconsin-based c-store chain is working toward a coalition program. Currently, Kwik Trip has its own credit card which offers holders 3 cents back on a gallon of gas purchased, as well as a 10 percent back to customers on inside sales in the form of redemption certificates that are issued every quarter and can be used only in Kwik Trip stores. "You have to do a combination of things," noted Colbert.

Tripp said CHS/Cenex has about six stores involved in coalition programs with supermarkets, but "the lift has not been as dynamic on the grocery side."

Among emerging technologies, several retailers said they were intensely interested in the possibilities of self-checkout. In a test in four stores since last August, Quick Chek has seen customer throughput increase 60 percent in peak periods due to self-checkout, said Fidelibus. Quick Chek's pioneering use of self-checkout technology supplied by NCR was recognized during NACStech's opening session as Fidelibus accepted the 2010 CSNews Technology Award for best retail tech implementation of the year.

TWITTERING AWAY

Most of the retailers are also participating in conversations about their brands and stores via online social networking sites including Facebook and Twitter. Many have people dedicated to monitoring the social networks; some are actively marketing to online "followers," while others are more concerned with using the sites to get customer feedback.

Fidelibus of Quick Chek gave credit to her company's marketing department for spearheading the use of social networking. Quick Chek uses these to listen to customer comments, grow its brand and engage customers with weekly coupons as a thank you, according to Fidelibus. The New Jersey- based chain is experiencing strong redemption rates using Facebook. "It's an especially good way to get trial on new products," said Fidelibus.

"It's challenging to direct people to our social networking sites," said Rich Schappert, senior director of IT for Casey's General Stores. The Iowa-based chain has both Facebook and Twitter accounts and a dedicated person to monitor and communicate with users on those sites.

At least one manufacturer is looking beyond the current state of social media and projecting its next evolution. "Social networking and mobile device support are a primary focus for our existing and new solutions," said Drew Mize, vice president, product management and marketing for Pinnacle. "These trends are not going away. Tying our consumer facing solutions to mobile devices will enable our retail clients to drive more consumers into their stores." Colbert of Kwik Trip noted the Wisconsin chain is already testing multiple marketing mobile applications and is looking at mobile payment solutions.

"Everything the kids do is via the phone now," said Colbert.

GOING MOBILE

Bullard said Flash Foods planned to launch a mobile version of its Web site and was already active on both Facebook and Twitter. Bob Sleeper, director of technology for CHR Corp./Rutter's, said the mid-Atlantic retailer just rolled out its first mobile iPhone application — a free download that allows Rutter's to provide electronic couponing, information on gas prices and to receive customer comments.

If mobile technology is the future of marketing, it's also the future for payment systems, executives said at the roundtable.

"Before PCI, mobile payment was steamrolling, but then everything wireless stopped," pointed out Gilbarco's Kelly. "Now, mobile is back."