Click here for a video that explains the risk of non-PCI compliance

Background on PCI & Credit Card Security

For many years now, both restaurant owners and their diners have been enjoying the convenience of accepting and using credit and debit cards. However, given the sky high cost and frequency of fraud on credit cards, the major card brands (Visa, MasterCard, American Express, Discover and JCB) have taken steps to safeguard all stakeholders.

The mag stripe on credit cards was invented by IBM in 1968 and became the industry standard. Since the track data is easy to read and duplicate on the mag stripe, the branded cards, through the Payment Card Industry (PCI) Security Standards Council has built a set of standards to secure cardholder data, beginning with the directive: ‘Don’t store track data.’

The Standards of PCI

A three-pronged approach that the PCI Security Standards Council took to protect consumers, merchants/restaurateurs and banks:

• PCI DSS (Payment Card Industry Data Security Standard) ‐ includes all entities that store, process, or transmit cardholder data: Merchants, restaurateurs, service providers, processors, etc.

Compliance Deadline: January 2007 (deadlines are long passed)

What this Means – Restaurateurs, regardless of the size, must all complete and submit a PCI Self-Assessment Questionnaire to their Acquiring Bank yearly.

• PA‐DSS (Payment Application Data Security Standard) ‐ covers all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sale (POS) application developers)

Deadlines for Compliance:

Oct. 1, 2008 ‐ Payment processors, agents and merchants must use software that is compliant with the new payment application security standards.

Oct. 1, 2009 ‐ Terminate any noncompliant payment applications that merchants might still be using in their environments will be required.

July 1, 2010 ‐ Mandates the use of only those payment applications that support the new standards.

What this Means – After these deadlines, merchants/restaurateurs that are still running a non-PA DSS-validated application, they automatically fail the PCI assessment and will lose their ability to accept credit cards.

• PED (Pin Entry Devices) Standard – covers all PEDs and it aims to ensure that the cardholder’s personal identification number or PIN, and any sensitive information are protected consistently at a PIN acceptance device, like your resident keys.

Deadline for Compliance:

Jan. 1, 2004 ‐ All newly purchased Point-of-Sale (POS) PIN Entry Devices must have passed testing by a Visa recognized laboratory and been approved by Visa.

July 1, 2010 ‐ Mandates that all deployed Point of Sale (POS) PEDs must have passed testing by a PCI recognized laboratory and been approved by the PCI SSC.

This Means ‐ Merchants/restaurateurs have 2 years to replace older, un-approved PEDs.

The Do’s With Payment Card Industry (PCI)

• Make routine vulnerability scanning of your POS systems.

• Do security awareness training for all of your staff.

• Do audits of system access.

• System activity logs should be monitored.

• Remove access privileges of separated employees.

• Install software patches for your system.

• When it comes to any threats, be serious – have an incident response plan in place.

PCI Don’ts

• Refrain your self from storing or archiving whole credit card numbers.

• Never transmit credit card information unencrypted.

• PCI is not simply about proving you are compliant with the standards – it’s all about making your customers safe as well as your business.

What Restaurateurs Get From PCI

Given consumers’ expectation of universal acceptance of using credit and debit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:

Reputation / Image

For a highly competitive business – a restaurant owner does not want to be named in the media as the place were card data was stolen.

Protects Your Credit / Debit Card Payments Acceptance Ability – non-compliance of the rules and/or a breach can endanger a merchants’/restaurateur’s ability to accept credit/debit payments. There are several cases that 80% to 90% of transactions are through credit/debit payments. Losing your restaurant’s ability to accept credit/debit cards = reduced traffic/customers.

Impact of State Privacy Laws

A breach that discloses individual’s credit card info in one of the 40+ States governed by the privacy laws may experience double impact on the side of the restaurateur. Being off-side with the Payment Card Industry might result in fines and lawsuit costs. Being off-side with State Privacy Laws is a crime punishable by confinement with possibly more serious penalties.

Compliance / Security Strategy

• By making sure you are using a PA‐DSS or PABP validated POS system

• Ensuring that you use approved PEDs

• Have regular security awareness training for your employees, especially for supervisors

• Have background checks on any staff that has administrative access to your system

• Have a ‘Confidentiality Agreement’ contract with your staff

• When it comes to your PCI Self Assessment Questionnaire (SAQ), carefully and accurately complete the form and when you’re not sure with your answers, just ask

• If you experience gaps in the PCI compliance, develop a realistic plan to straighten it out

• Maintain mature controls to sustain compliance

• Access controls

• In system and device management, have a dual factor

• Proper storing of your strong passwords and secure passwords

• Monitor system activities for potential attacks as well as record evidences

• Controlling your wireless access points

• Maintain a secure configuration

• Segment networks

• Maintain an Incident Response Plan and Test It

• Test and audit the cardholder environment carefully

It may be a daunting task on your first try but when everything’s in place, ongoing PCI compliance is not an expensive undertaking. Besides, it’s good for you business to practice protecting the sensitive data that your customers entrust with you.

Want To Ask a Point of Sale (POS) Expert?

You may visit www.POS-For-Restaurants.com anytime for more information or advice about this topic, a Restaurant POS professional serving your area will address your concerns.

The author of this article is the Vice President of Customer Relations at
POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.