I ran in to Steve Haralambiew from Data Park at the PAA in Australia. He was there supporting one of his various companies. I have known Steve for decades but this was the first time we actually took the time to talk.
He was regaling me on a concern he has for smaller “mom and pop” parking operators and their liability in dealing with PCI compliance.
For you who don’t track the latest impending disaster to overwhelm your industry here’s the story. Visa and the rest of the credit card companies are concerned about security. So they have set up rules that a company that takes their cards must follow or be liable for losses, that could amount to millions. Fair enough – you follow a few rules, and you are not in trouble. NOT SO FAST.
Not only must the equipment you buy be certified as meeting PCI requirements (there are companies that do nothing but certify hardware and software) but your “systems,” your back office, the way that you deal with credit card information you collect, must also meet their requirements. So just because your equipment supplier is certified, that doesn’t mean that you are. See the problem?
Steve’s issue is that the “big boys” as he puts it, the Standards, Centrals, Imparks and the like, can afford to have whole departments that do nothing but ensure that their locations meet PCI requirements. However, the little guys, the “mom and pop” operations simply don’t have the resources to make these changes happen. He is concerned that these smaller companies may get “rolled over” by the credit card companies and be put at risk.
It’s something to think about. How do small companies allocate resources so they can protect themselves against huge entities like Visa?
Steve noted that the rumors in the marketplace are that the credit card companies may be offering bounties to people who find problems in parking (or other) operations. He says that he had heard that there are firms that make it a point to “research” operations and if they find issues, turn them in. Now that’s scary.
As an aside, consider this problem: A small operator notes that their revenue control equipment is not PCI compliant. They are told to upgrade would mean replacing the entire system. Now What? They go to their owner with the bad news but the owner doesn’t want to hear it. This puts the operator in a very tenuous position.