Click here for a video that explains the risk of non-PCI compliance
Background on PCI & Credit Card Security
Restaurant owners and their customers have enjoyed the convenience they get on credit and debit cards for many years. However, given the sky high cost and frequency of fraud on credit cards, well established card brands such as Visa, MasterCard, American Express, Discover and JCB have taken steps to safeguard all stakeholders.
IBM invented the magnetic stripe on credit cards in 1968 and became the industry standard. Since the track data is easy to read and duplicate on the mag stripe, the card brands, the Payment Card Industry (PCI) Security Standards Council built a set of standards for securing cardholder data that begins with the directive: ‘Don’t store track data.’
PCI Standards
The PCI Security Standards Council took a three-pronged approach to protecting consumers, banks and merchants/restaurateurs:
- Payment Card Industry Data Security Standard or PCI DSS ‐ includes all entities that store, process, or transmit cardholder data (Merchants, restaurateurs, service providers, processors, etc.)
Compliance Deadline: January 2007 (deadlines are long passed)
What this Means – All restaurateurs (regardless of size) must complete and submit a PCI Self-Assessment Questionnaire each year to their Acquiring Bank.
- Payment Application Data Security Standard or PA-DSS ‐ it includes all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point of Sale (POS) application developers)
Deadlines for Compliance:
Oct. 1, 2008 ‐ Payment processors, agents and merchants must use software that is compliant with the new payment application security standards.
Oct. 1, 2009 ‐ All merchants will be required to start terminating the use of any non-compliant payment applications that they might still have in their environments.
July 1, 2010 ‐ Mandatory use of only the payment applications that complies with the new standards.
It Means – If, after the deadline, a merchant/restaurateur is not running a PA DSS-validated application, means that they automatically fail their PCI assessment and possibly may lose their ability to accept credit cards.
- PED (Pin Entry Devices) Standard – this covers all PEDs and is aimed at ensuring that the cardholder’s PIN, and any sensitive information are protected consistently at a PIN acceptance device, like your resident keys.
Deadline for Compliance:
Jan. 1, 2004 ‐ For newly purchased Point of Sale (POS) PIN Entry Devices, they must pass by a recognized laboratory of Visa and be approved by Visa.
July 1, 2010 ‐ Mandates that all deployed Point of Sale (POS) PEDs must have passed testing by a PCI recognized laboratory and been approved by the PCI SSC.
What this Means ‐ All Merchants/restaurant owners gets 2 years to replace their older and/or unapproved PEDs.
Payment Card Industry (PCI) Do’s
- Do routine vulnerability scans of your systems.
- Do security awareness training for all of your staff.
- Audits for system access.
- System activity logs should be monitored.
- Separated employees must have their access privileges removed.
- Do install software patches.
- Be responsible when it comes to any threats, have an incident response plan.
PCI Don’ts
- Avoid storing or archiving whole credit card numbers.
- Transmitting credit card data unencrypted should not be practiced.
- PCI is not simply about proving you are compliant with the standards – it’s about making you and your customers protected.
What Restaurateurs Get From PCI
Given consumers’ expectation of universal acceptance of credit and debit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:
Reputation / Image
In a competitive business – no restaurant owner would want to be labeled as the eatery where a personal card data was stolen.
Protects Ability to Accept Credit / Debit Card Payments – neglecting the rules and/or a breach can jeopardize a restaurant owner’s ability to accept credit/debit payments. In many cases, credit/debit payments account for 80% to 90% of transactions. Losing your store’s ability to accept credit cards can reduce your customers.
The Effects of State Privacy Laws
Failure to comply with the set of rules that discloses individual’s credit card data with any of the 40+ States governed by the privacy laws may have a double impact on a restaurateur. Being off-side with the Payment Card Industry may result in penalties and litigation costs. Being off-side with State Privacy Laws is a crime with potentially more serious penalties.
Compliance / Security Strategy
- Be sure you are using a PA‐DSS or PABP validated POS system
- Ensuring that you use approved PEDs
- Have regular security awareness training for your staff – particularly supervisors
- Do background checks on anyone with administrative access to your system
- Have your staff sign a ‘Confidentiality Agreement’
- Carefully and accurately complete the PCI Self Assessment Questionnaire (SAQ) – if you are not sure – ask
- If you experience gaps in the PCI compliance, develop a realistic plan to straighten it out
- Be matured in sustaining compliance
- Access controls
- Always have double factor for system and device management
- Properly store your strong passwords and secure passwords
- Monitoring to detect attack and record evidence
- Controlling your wireless access points
- Always maintain a secure configuration
- Section each network
- Have an Incident Response Plan and test it to make sure that it’s always ready when needed
- Test and audit the cardholder environment like your business depended on it
It may be a daunting task on the first run but when everything else is in place, an ongoing PCI compliance is not an expensive work. Besides, it’s a good practice for businesses to protect the sensitive information that your customers trust upon you.
Any Questions?
For more information and advice on this topic you can quickly contact a Restaurant POS professional serving your area at www.POS-For-Restaurants.com
The author of this article is the Vice President of Customer Relations at
POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.