Background on PCI & Credit Card Security

From the day magnetic strip cards was introduced to people, both restaurateur and their diners have been enjoying the convenience of accepting and using credit and debit cards. However, given the sky high cost and frequency of credit fraud, the major card brands (Visa, MasterCard, American Express, Discover and JCB) are taking steps to safeguard their clients.

The mag stripe on credit cards was invented by IBM in 1968 and became the industry standard. Given that the track data on the mag stripe is easy to read and duplicate, the branded cards, the Payment Card Industry (PCI) Security Standards Council built a set of standards for securing cardholder data that begins with the directive: ‘Don’t store track data.’

The Payment Card Industry (PCI) Standards

There’s the three-pronged approach that the PCI Security Standards Council took to protect consumers, banks and merchants/restaurateurs:

• Payment Card Industry Data Security Standard or PCI DSS ? embraces all entities that store, process, or transmit cardholder data (Merchants, restaurateurs, service providers, processors, etc.)

Deadline for Compliance: January 2007 (deadlines are long passed)

It Means – All restaurateurs (regardless of size) is required to complete and submit a PCI Self-Assessment Questionnaire each year to their Acquiring Bank.

• Payment Application Data Security Standard or PA-DSS ? involves all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sales (POS) application developers)

Deadlines for Compliance:

Oct. 1, 2008 ? Payment processors, agents and merchants must use software that is compliant with the new payment application security standards.

Oct. 1, 2009 ? Terminate any noncompliant payment applications that merchants might still be using in their environments will be required.

July 1, 2010 ? Mandatory use of only the payment applications that support the new standards.

What this Means – If, after the deadline, a merchant/restaurateur is not running a PA DSS-validated application, they will automatically fail their PCI assessment and could possibly lose their ability to accept credit cards.

• PED (Pin Entry Devices) Standard – applies to all PEDs and it aims to ensure that the cardholder’s personal identification number (PIN), including any sensitive information are protected consistently at a PIN acceptance device, like your resident keys.

Deadline for Compliance:

Jan. 1, 2004 ? For newly purchased Point of Sale (POS) PIN Entry Devices should pass testing by a Visa recognized laboratory and approved by Visa.

July 1, 2010 ? Mandates that every POS PIN Entry Devices must pass and get approved by PCI SSC from one of its recognized laboratories.

It Means ? Merchants/restaurant owners have 2 years to replace older, un-approved PEDs.

Payment Card Industry (PCI) Do’s

• Have a routine vulnerability scans of your POS systems.

• Do security awareness training for all of your staff.

• Audits for system access.

• You must your system activity logs.

• Separated employees should no longer have access privileges.

• Do install software patches.

• Be serious when it comes to any threats, have an incident response plan.

PCI Don’ts

• Avoid storing or archiving whole credit card numbers.

• Transmitting credit card information unencrypted should not be practiced.

• With Payment Card Industry, it is not about making you compliant with these standards – it’s all about keeping you and your customers protected.

PCI’s Effect on Restaurateurs

Given consumers’ expectation of ever-present acceptance of credit and debit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:

Reputation / Image

For a highly competitive business – a restaurateur does not want to be named in the media as the place were card data was stolen.

Protects Your Credit / Debit Card Payments Acceptance Ability – failure to comply and/or a breach can risk a restaurant owner’s ability to accept credit/debit payments. In many cases, credit/debit payments account for 80% to 90% of transactions. Losing your restaurant’s ability to accept credit cards can reduce your customers.

Impact of State Privacy Laws

A breach that discloses individual’s credit card data with any of the 40+ States governed with privacy laws may experience double impact on the side of the restaurateur. Being off-side with PCI might result in fines and litigation costs. Being off-side with State Privacy Laws is a crime with potentially more serious penalties.

Complying / Security Strategy

• Be sure you are using a PA?DSS or PABP validated POS system

• Make sure you’re using an approved PED

• Have regular security awareness training for your staff – particularly supervisors

• Conducting a background check on your employees that has administrative access to your system is a must

• Have your staff sign a ‘Confidentiality Agreement’

• If you’re not sure how to complete the PCI Self Assessment Questionnaire (SAQ), why not ask?

• If gaps in PCI compliance are identified, develop a realistic plan to straighten it out

• Be matured in sustaining compliance

• Accessing controls

• In system and device management, do have a dual factor

• Proper storing of your strong passwords and secure passwords

• Keep monitoring system activities for possible attacks and record evidences

• Control wireless access points

• Always maintain a secure configuration

• Segment networks

• Maintain an Incident Response Plan and Test It

• Testing and auditing the cardholder environment

It may be a discouraging task on your first try but when all the above are in place, ongoing PCI compliance is not an expensive undertaking. Besides, it’s good for you business to practice protecting the sensitive information that your customers entrust with you.

Do You Have Any Questions?

For more information and advice on this topic you can quickly contact a Restaurant POS professional serving your area at www.POS-For-Restaurants.com

The author of this article is the Vice President of Customer Relations at
POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.

The Risk of non-PCI Compliance – video

Technorati Tags: Point of Sale, Point of Service, POS, restaurant automation, restaurant computer, restaurant hardware, restaurant point of sale, Restaurant pos, restaurant pos equipment, restaurant pos quote, restaurant pos solution, restaurant software

In some states, there are no rules of law that prevents an employer from using your criminal records and documents to decide on hiring you. This also means that pre-employment background checks are even more emphasized as this is the only means of determining that the person does have a criminal record. Thus, having no record to taint your background is quite important for most people if they want to improve their chances of getting hired.

In California, things take a different pattern. Section 432.7 of the California Labor Code states that “No employer, …, shall ask an applicant for employment to disclose, …, information concerning an arrest or detention that did not result in conviction, or information concerning a referral to, and participation in, any … diversion program, nor shall any employer seek from any source whatsoever, or utilize, as a factor in determining any condition of employment including hiring, promotion, termination, …, any record of arrest or detention that did not result in conviction, …. Nothing in this section shall prevent an employer from asking an employee or applicant for employment about an arrest for which the employee or applicant is out on a bail or on his or her own recognizance pending trial….”

In more simple terms, employers in California cannot use the California criminal records of prospective employees as a basis for their hiring decisions. The primary exception to the rule is when the California criminal records involve an actual conviction. There are cases wherein California criminal records are provided for even when the suspect was not convicted of the crime. In this case, employers cannot use these types of California criminal records in accordance with the Labor Code, Section 432.7. Also, employers cannot ask any private organization to inquire upon the applicant’s California criminal records and use the information or data taken to base their decisions.

However, as provided by this same code, an employer reserves the right to inquire about a prospective employee’s arrest which can be included in the California criminal records. Also, the employer may ask about the circumstances of or around a pending criminal trial in which the applicant is involved and is, as of the moment, out on bail. Such instances also lead to the establishment of California criminal records, although they may or may not result in convictions.

So, what this means is that unless you have a conviction in California, you are safe from any hiring decision that is biased of your criminal record.

Technorati Tags: California Criminal Records, criminal records search, criminal records searches

Personal privacy and data protection have never been more important. Our personal details are stored electronically in many locations and we all need to be certain that they will never fall into the wrong hands.

Document shredders have become commonplace in many homes. People are sensibly using these handy devices to shred their personal documents before placing them in the rubbish bin. And there are good reasons for this. Sifting through people’s rubbish is a technique commonly employed by criminals intent on stealing a person’s identity. There have been many cases of people who have had their bank accounts emptied or accrued expenditure on their credit cards purely through having some of their vital details acquired from their household rubbish.

While we can all take steps to shred the personal documentation that we might consign to the waste basket, what about personal data that is held about you by various others like your doctor, your bank or your insurance company? We all trust various organisations with our personal details and there have been some well reported cases wherein that trust has been misplaced and personal data has fallen into the wrong hands.

Businesses and other agencies holding any of your personal data are required to keep it securely, by law. Businesses and other agencies have an obligation to keep our personal data secure. And when the time comes to dispose of their records this must be carried out sensitively and securely.

Confidential shredding services can be used to ensure that documents and data are disposed of securely, without any risk that the information will fall into the wrong hands. Reputable data disposal firms will collect your office documents and data in secure containers and then provide you with destruction certificates when it has been disposed of.

If you are responsible for the disposal of sensitive data and documents you would do well to consider the services of Amber Moves. They are a reputable London Office Removals firm who provide totally secure and confidential shredding and data disposal services.

Technorati Tags: data protection, data security, document disposal, shredding