Click here for a video that explains the risk of non-PCI compliance

PCI & Credit Card Security: Background

Since magnetic strip cards were invented, both restaurateur and their customers have been enjoying the convenience of accepting and using credit and debit cards. However, given the sky high cost and frequency of credit fraud, the major card brands (Visa, MasterCard, American Express, Discover and JCB) have taken steps to protect all stakeholders.

IBM was the one who invented the magnetic stripe on credit cards in 1968 which became the industry standard. Given that the track data on the mag stripe is easy to read and duplicate, the card brands, the Payment Card Industry Security Standards Council built a set of standards for securing cardholder data which begins with the directive: ‘Don’t store track data.’

The PCI Standards

The PCI Security Standards Council has taken a three-pronged approach to protecting consumers, banks and merchants/restaurateurs:

• PCI DSS (Payment Card Industry Data Security Standard) ‐ involves all entities that store, process, or transmit cardholder data (Merchants, restaurateurs, service providers, processors, etc.)

Compliance Deadline: Month of January 2007 (deadlines are long passed)

What this Means – All restaurateurs (regardless of size) is required to complete and submit a PCI Self-Assessment Questionnaire every year to their Acquiring Bank.

• Payment Application Data Security Standard (PA-DSS) ‐ embraces all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sale (POS) application developers)

Deadlines for Compliance:

Oct. 1, 2008 ‐ Only the software that is compliant with the new payment application security standards must be used by agents, merchants and payment processors.

Oct. 1, 2009 ‐ Termination of any noncompliant payment applications that merchants might still have in their environments will be required.

July 1, 2010 ‐ Mandates the use of only those payment applications that support the new standards.

What this Means – If, after the deadline, a merchant/restaurateur is not running a PA DSS-validated application, means that they automatically fail their PCI assessment and could possibly lose their ability to accept credit cards.

• Pin Entry Devices (PED) Standard – this covers all PEDs and is aimed at ensuring that the cardholder’s personal identification number or PIN, and any sensitive information are protected consistently at a PIN acceptance device, like your resident keys.

Deadline for Compliance:

Jan. 1, 2004 ‐ All newly purchased Point-of-Sale (POS) PIN Entry Devices must have passed testing by a Visa recognized laboratory and been approved by Visa.

July 1, 2010 ‐ Mandates that all deployed Point of Sale (POS) PIN Entry Devices must have passed testing by a PCI recognized laboratory and been approved by the PCI SSC.

What this Means ‐ Merchants/restaurateurs have two years to replace older, un-approved PEDs.

The Do’s With Payment Card Industry (PCI)

• Do routine vulnerability scans of your systems.

• Prepare a security awareness training for your employees.

• Do audits of system access.

• System activity logs should be monitored.

• Do remove access privileges of separated employees.

• Install software patches for your system.

• When it comes to any threats, be serious - have an incident response plan in place.

The Don’ts of Payment Card Industry (PCI)

• Whole credit card numbers should not be stored or archived.

• Transmitting credit card data unencrypted should not be practiced.

• PCI is not simply about proving you are compliant with the standards – it’s about making you and your customers protected.

What Restaurateurs Get From PCI

Given consumers’ expectation of ever-present acceptance of using credit and debit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:

For Business Reputation / Image

In a competitive business – a restaurant owner does not want to be named in the media as the place were card data was stolen.

Protects Ability to Accept Credit / Debit Card Payments - failure to comply and/or a breach can jeopardize a restaurant owner’s ability to accept credit/debit payments. In many cases, credit/debit payments account for 80% to 90% of transactions. Losing your restaurant’s ability to accept credit cards means reduced customers.

Impact of State Privacy Laws

A breach that discloses personal credit card information with any of the 40+ States governed with privacy laws may experience double impact on the side of the restaurateur. Being off-side with PCI could result in penalties and lawsuit costs. Being off-side with State Privacy Laws is a felony with potentially more serious consequences.

Compliance / Security Strategy

• Make sure you are using a PA‐DSS or PABP validated POS system

• Make sure you’re using an approved PED

• Have regular security awareness training for your staff - particularly supervisors

• Do background checks on any staff that has administrative access to your system

• Have a ‘Confidentiality Agreement’ contract with your staff

• Carefully and accurately complete the PCI Self Assessment Questionnaire (SAQ) – if you are not sure – ask

• If you experience gaps in the PCI compliance, develop a realistic plan to straighten it out

• Be matured in sustaining compliance

• Access controls

• In system and device management, have a dual factor

• Properly store your strong passwords and secure passwords

• Monitoring to detect attack and record evidence

• Controlling your wireless access points

• Maintain a secure configuration

• Segment networks

• Maintain an Incident Response Plan and Test It

• Test and audit the cardholder environment carefully

This can be a daunting task the first go around but when all the above are in place, a PCI compliance is not an expensive work. It is good business practice to protect the sensitive information of your customers.

Want To Ask a Point of Sale (POS) Expert?

For more information and advice on this topic you can quickly contact a Restaurant POS professional serving your area at www.POS-For-Restaurants.com

The author of this article writes for POS-For-Restaurants.com - a Vice President for Customer Relations with over 20 years experience in the industry of restaurant point of sale system.

Tags: Point of Sale, Point of Service, POS, restaurant automation, restaurant computer, restaurant hardware, restaurant point of sale, Restaurant pos, restaurant pos equipment, restaurant pos quote, restaurant pos solution, restaurant software

This entry was posted on Tuesday, February 9th, 2010 at 8:43 pm and is filed under Business: Productivity. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.