Professional Carwashing & Detailing

Credit card compliance for carwashing

October 11, 2010

Are you ready for the Payment Card Industry (PCI) Data Security Standard? How about the Cardholder Information Security Program (CISP) or Site Data Protection (SDP)?

With more acronyms and more regulations, is it possible to keep it all straight? Visa and MasterCard think so, and they have added a few new words to our vocabulary and a few new concerns for carwash owners.

Determining your level
In order to protect the consumer against credit card fraud, Visa and MasterCard have implemented a mandatory PCI Data Security Standard affecting all merchant card transactions (see exhibit 1).

This standard has set forth new requirements based on the number of credit card transactions per year. There are four levels of the merchant CISP compliance validation.

For a more thorough understanding of the new standards, visit the Visa website: or see exhibit 2.

In all likelihood, level four merchants include the lion’s share of the carwash merchants.

According to Wayne Ignacio, vice president of Bank of America Merchant Services, level four is classified as follows: “fewer than 20,000 Visa and MasterCard e-commerce transactions per year and all other merchants processing up to 6 million Visa transactions per year — plus, an annual self-assessment questionnaire and annual network scan is recommended.”

To determine which level is right for your business visit:

Under these new regulations, level one through three has already gone into affect. The compliance date for level four has yet to be set by Visa (see Exhibit 2 “TBD”) and is now up to the processor’s discretion.

Voluntary compliance?
Even though compliance may be voluntary, fines and penalties will be assessed for any breaches or fraud committed with stored credit card information.

Ignacio stated, “There already have been imposed fines of more than $500,000 per event for non-compliance and data compromises.”

A compromise or breach in the merchant’s database automatically qualifies for level one status, according to the CISP compliance validation table.

Credit cards, fleet cards, and gift cards are some of the fastest growing segments of payment methods at carwashes.

Carwash manufacturers are integrating cashless payment methods into their products to speed up transactions and improve payment reconciliation.

From this point on, an operator storing credit card information at their site will fall under the CISP mandate.

Protecting the data
As of press time, there are two types of credit card data collection for the carwash location.

1. Terminal-based data: This data is collected at the carwash site, and the credit card transaction is sent to a processor (a company that you as a merchant have signed an agreement to handle each credit card transaction for a fee).

The transaction is approved and returned to a computer file database at the carwash location. At day’s end, the computer performs a settlement that is sent to the bank to receive payment.

Under the new regulations, a self-assessment questionnaire and network scan are recommended.

Visa, through CISP, wants to make sure that credit card information is secure. If there were any fraudulent credit card breach, the wash operator would be responsible for possible fines and must achieve level one compliance.

2. Host-based data: This data is similar to terminal-based with one major difference; once the transaction is made at the carwash location, it goes directly to a processor and then directly to the bank for settlement of the payment.

The beauty of this type of collection is the security issue of compromised data no longer exists at the carwash, but belongs to the processor. Thus, the need to follow the PCI standards now rests with the processor.

Are you at risk?
If you are operating under a terminal-based data collection system, there is the potential of a security breach. Any fraudulent credit card act automatically places a level four merchant to a level one status and, according to the PCI Data Security Standard, a completely new set of rules and regulations.

So, what steps must one take to ensure that the merchant database is secure?

First, check with your credit card processor to determine whether your credit card system is terminal-based or host-based.

  • If terminal-based, your processor should be able to advise you on how to keep your data secure at the carwash site.
  • If your processor handles host-based data, the risk for security breach fades away as compliance requirements follow whoever stores the credit card data.

Credit card questions
The choice of a credit card processor is very important. Seek a processor who offers a host-based credit card data system as well as offers a competitive rate for the credit card transactions.

The multiple questions surface again. How does one know if they have a competitive credit card rate? Can rates be equitably compared to other processors? Are rates negotiable with the processor?

The answers to these questions might be easier than one thinks. You will need a pencil and calculator to help answer all three questions.

1. Take the monthly credit card statement and identify total VISA/MC revenue from all cards.

2. Next, divide the total revenue into total VISA/MC fees. The percent equals the net effective rate.

Example: Monthly credit card total revenue is $25,000 and the bank fees are $1,000. The net effective rate equals 4 percent.

Your current credit card rate may be higher or lower than this, so it gives you the opportunity to compare the best rate with your current net effective rate.

Most credit card companies promote qualified transactions at a very attractive rate. Many credit cards do not fall under this rate.

Carwashes could see as many as seven different rates being applied to credit card transactions. The different rates can raise your net effective rate and cost thousands more in annual fees.

To negotiate the best credit card rate you may wish to seek out larger buying groups (or perhaps local carwash associations) that can buy down the rate through large aggregate credit card transactions.

You’re responsible
In summary, Visa and MasterCard, through the PCI data Security Standard, are securing consumers’ sensitive and confidential credit card information.

They already have the major corporations complying with these regulations and have the authority to levy fines towards merchants who are non-compliant.

Level four merchants must comply with Visa’s CISP and MasterCard’s SDP security standards, but the annual self-assessment questionnaire and network scan are only recommended at this time.

Although compliance at level four is recommended by Visa (or can be mandatory if requested by your processor), a wash operator is liable for any data that is compromised. It is now up to you to ensure compliance with the new credit card security standards.

Brad Metcalf is a representative of Innovative Control Systems, Inc., a maker of computer hardware and software products for the carwash industry. For more information contact Brad at