Click here for a video that explains the risk of non-PCI compliance
PCI and Credit Card Security Background
Restaurants and their customers have long been enjoying the convenience they get on credit and debit cards for many years. However, given the sky high cost and frequency of credit fraud, major card brands such as Visa, MasterCard, American Express, Discover and JCB have taken steps to safeguard all stakeholders.
IBM was the one who invented the mag stripe on credit cards in 1968 and became the industry standard. Given that the track data on the mag stripe can easily be read and duplicated, the card brands, with the set of standards that the Payment Card Industry (PCI) Security Standards Council has built, it clearly stated the first directive: ‘Don’t store track data.’
The Standards of PCI
The PCI Security Standards Council has taken a three-pronged approach to protecting consumers, banks and merchants/restaurateurs:
- Payment Card Industry Data Security Standard or PCI DSS ? involves all entities that store, process, or transmit cardholder data (Merchants, restaurateurs, service providers, processors, etc.)
Compliance Deadline: January 2007 (deadlines are long passed)
What it Means – Restaurateurs, regardless of the size, must all complete and submit a PCI Self-Assessment Questionnaire to their Acquiring Bank every year.
- PA?DSS (Payment Application Data Security Standard) ? involves all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sales (POS) application developers)
Deadlines for Compliance:
Oct. 1, 2008 ? Only the software that is compliant with the new payment application security standards must be used by agents, merchants and payment processors.
Oct. 1, 2009 ? All merchants will be required to start terminating the use of any non-compliant payment applications that they might still have in their environments.
July 1, 2010 ? Mandatory use of only the payment applications that complies with the new standards.
Which Means – If, after the deadline, a merchant/restaurateur is not running a PA DSS-validated application, they will automatically fail their PCI assessment and could possibly lose their ability to accept credit cards.
- Pin Entry Devices (PED) Standard – includes all PEDs and it aims to ensure that the cardholder’s personal identification number or PIN, including any sensitive information are protected consistently at a PIN acceptance device, like your resident keys.
Deadline for Compliance:
Jan. 1, 2004 ? To all newly purchased Point of Sale (POS) PIN Entry Devices should pass testing by a Visa recognized laboratory and approved by Visa.
July 1, 2010 ? Mandates that every Point of Sale (POS) PEDs must pass and get approved by PCI SSC from one of its recognized laboratories.
Which Means ? All Merchants/restaurant owners will have two years to replace older, un-approved PEDs.
Payment Card Industry (PCI) Do’s
- Do routine vulnerability scans of your systems.
- You must do a security awareness training for your employees.
- Make system access audits.
- Monitor your system activity logs.
- Separated employees must have their access privileges removed.
- Install software patches for your system.
- Any threats should be taken seriously – have an incident response plan in place.
The Don’ts of Payment Card Industry (PCI)
- Refrain your self from storing or archiving whole credit card numbers.
- Transmitting credit card data unencrypted should not be practiced.
- PCI is not about making you compliant with these standards – it’s all about protecting your business and your customers.
What Restaurateurs Get From PCI
Given consumers’ expectation of omnipresent acceptance of using plastics, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:
Business Reputation / Image
For a highly competitive business – a restaurateur does not want to be named in the media as the place were card data was stolen.
Protects Your Credit / Debit Card Payments Acceptance Ability – failure to comply and/or a breach can risk a merchants’/restaurateur’s ability to accept credit/debit payments. In many cases, credit/debit payments account for 80% to 90% of transactions. Losing your store’s ability to accept credit cards can reduce your customers.
The Effects of State Privacy Laws
A breach that discloses personal credit card information in one of the 40+ States with privacy laws may experience double impact on the side of the restaurateur. Being off-side with the Payment Card Industry will result in fines and lawsuit costs. Being off-side with State Privacy Laws is a crime with potentially more serious penalties.
Compliance / Security Strategy
- Ensure you are using a PA?DSS or PABP validated POS system
- Make sure you’re using an approved PED
- Arrange for regular security awareness training for your staff, especially your supervisors
- Conducting a background check on all employees with administrative access to your system is a must
- Have a ‘Confidentiality Agreement’ contract with your staff
- Carefully and accurately complete the PCI Self Assessment Questionnaire (SAQ) – if you are not sure – ask
- If you notice gaps in the PCI compliance, develop a realistic plan to correct them
- Maintain mature controls to sustain compliance
- Access controls
- Dual factor for system and device management
- Strong passwords and secure password storage
- Regularly monitor system activities for possible attacks as well as record evidences
- Control wireless access points
- Always maintain a secure configuration
- Segment networks
- Maintain an Incident Response Plan and Test It
- Test and audit the cardholder environment carefully
It may be a daunting task the first time but when everything else is in place, an ongoing PCI compliance is not an expensive work. It is good business practice to protect the sensitive information that your customers entrust with you.
Questions?
You can visit www.POS-For-Restaurants.com anytime for more information or advice about this topic, a Restaurant POS professional serving your area will address your concerns.
The author of this article writes for POS-For-Restaurants.com – a VP of Customer Relations with over 20 years experience in the restaurant point of sale industry.
