Click here for a video that explains the risk of non-PCI compliance
PCI & Credit Card Security: Background
Restaurants and their customers have enjoyed the convenience they get on credit and debit cards for many years. However, given the sky high cost and frequency of credit fraud, well established card brands (Visa, MasterCard, American Express, Discover and JCB) have taken preventive measures to safeguard their stakeholders.
The mag stripe on credit cards was invented by IBM in 1968 and became the industry standard. Given that the track data on the mag stripe can easily be read and duplicated, the card brands, through the Payment Card Industry Security Standards Council has built a set of standards in order to secure cardholder data, beginning with the directive: ‘Don’t store track data.’
The Standards of the Payment Card Industry (PCI)
There’s the three-pronged approach that the PCI Security Standards Council took to protect consumers, banks and merchants/restaurateurs:
- Payment Card Industry Data Security Standard (PCI DSS) ? covers all entities that store, process, or transmit cardholder data (Merchants, restaurateurs, service providers, processors, etc.)
Deadline for Compliance: January 2007 (deadlines are long passed)
It Means – All restaurateurs (in spite of size) is required to complete and submit a PCI Self-Assessment Questionnaire each year to their Acquiring Bank.
- Payment Application Data Security Standard (PA-DSS) ? including all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sales (POS) application developers)
Deadlines for Compliance:
Oct. 1, 2008 ? Only the software that is compliant with the new payment application security standards must be used by agents, merchants and payment processors.
Oct. 1, 2009 ? Terminate any noncompliant payment applications that merchants might still be using in their environments will be required.
July 1, 2010 ? Mandatory use of only the payment applications that support the new standards.
What this Means – If, after the deadline, a merchant/restaurateur is not running a PA DSS-validated application, they will automatically fail their PCI assessment and could possibly lose their ability to accept credit cards.
- Pin Entry Devices (PED) Standard – applies to all PEDs and it aims to ensure that the cardholder’s PIN, and any sensitive information such as resident keys, are protected consistently at a PIN acceptance device.
Deadline for Compliance:
Jan. 1, 2004 ? To all newly purchased Point of Sale (POS) PIN Entry Devices should pass testing by a Visa recognized laboratory and approved by Visa.
July 1, 2010 ? Mandates that all deployed Point of Sale (POS) PEDs must have passed testing by a PCI recognized laboratory and been approved by the PCI SSC.
This Means ? Merchants/restaurant owners have two years to replace older, un-approved PEDs.
Payment Card Industry (PCI) Do’s
- Do routine vulnerability scans of your systems.
- Have a security awareness training for your employees.
- Do audits of system access.
- Do monitor your system activity logs.
- Remove access privileges of separated employees.
- Install software patches.
- Any threats should be taken seriously – have an incident response plan in place.
PCI Don’ts
- You must not store or archive whole credit card numbers.
- Transmitting credit card data unencrypted should not be practiced.
- PCI is not about making you compliant with the standards – it’s all about protecting your business and your customers.
What Restaurateurs Get From PCI
Given consumers’ expectation of omnipresent acceptance of using credit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:
Your Business’ Reputation / Image
For a highly competitive business – a restaurant owner does not want to be named in the media as the place were a card data was breached.
Protects Ability to Accept Credit / Debit Card Payments – by not complying and/or a breach can endanger a merchants’/restaurateur’s ability to accept credit/debit payments. In many cases, credit/debit payments account for 80% to 90% of transactions. Losing your restaurant’s ability to accept credit/debit cards can cause reduced customers = reduced sales.
Impact of State Privacy Laws
Failure to comply with the set of rules that discloses individual’s credit card data with any of the 40+ States with privacy laws may have a double impact on a restaurateur. Being off-side with PCI possibly will result in fines and lawsuit costs. Being off-side with State Privacy Laws is a crime with potentially more serious consequences.
Complying / Security Strategy
- By making sure you’re using POS systems with validated PA?DSS or PABP
- Ensure you are using an approved PED
- Conduct regular security awareness training for your employees, especially for supervisors
- Have background checks on any employee that has administrative access to your system
- Have a ‘Confidentiality Agreement’ contract with your staff
- When it comes to your PCI Self Assessment Questionnaire (SAQ), carefully and accurately complete the form and when you’re not sure with your answers, just ask
- If you experience gaps in the PCI compliance, develop a realistic plan to straighten it out
- Be matured in sustaining compliance
- Always have double factor for system and device management
- Strong passwords and secure password storage
- Monitoring to detect attack and record evidence
- Controlling your wireless access points
- Maintain secure configuration
- Maintain an Incident Response Plan and Test It
- Testing and auditing the cardholder environment
It can be a daunting task on the first run but when everything’s in place, ongoing PCI compliance is not an expensive undertaking. It is good business practice to protect the sensitive information that your customers entrust with you.
Any Questions?
For more information and advice on this topic you can quickly contact a Restaurant POS professional serving your area at www.POS-For-Restaurants.com
The author of this article writes for POS-For-Restaurants.com – a VP for Customer Relations with over 20 years experience in the industry of restaurant point of sale system.