Background on PCI & Credit Card Security

From the day magnetic strip cards was introduced to people, both restaurateur and their diners have been enjoying the convenience of accepting and using credit and debit cards. However, given the sky high cost and frequency of credit fraud, the major card brands (Visa, MasterCard, American Express, Discover and JCB) are taking steps to safeguard their clients.

The mag stripe on credit cards was invented by IBM in 1968 and became the industry standard. Given that the track data on the mag stripe is easy to read and duplicate, the branded cards, the Payment Card Industry (PCI) Security Standards Council built a set of standards for securing cardholder data that begins with the directive: ‘Don’t store track data.’

The Payment Card Industry (PCI) Standards

There’s the three-pronged approach that the PCI Security Standards Council took to protect consumers, banks and merchants/restaurateurs:

• Payment Card Industry Data Security Standard or PCI DSS ? embraces all entities that store, process, or transmit cardholder data (Merchants, restaurateurs, service providers, processors, etc.)

Deadline for Compliance: January 2007 (deadlines are long passed)

It Means – All restaurateurs (regardless of size) is required to complete and submit a PCI Self-Assessment Questionnaire each year to their Acquiring Bank.

• Payment Application Data Security Standard or PA-DSS ? involves all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sales (POS) application developers)

Deadlines for Compliance:

Oct. 1, 2008 ? Payment processors, agents and merchants must use software that is compliant with the new payment application security standards.

Oct. 1, 2009 ? Terminate any noncompliant payment applications that merchants might still be using in their environments will be required.

July 1, 2010 ? Mandatory use of only the payment applications that support the new standards.

What this Means – If, after the deadline, a merchant/restaurateur is not running a PA DSS-validated application, they will automatically fail their PCI assessment and could possibly lose their ability to accept credit cards.

• PED (Pin Entry Devices) Standard – applies to all PEDs and it aims to ensure that the cardholder’s personal identification number (PIN), including any sensitive information are protected consistently at a PIN acceptance device, like your resident keys.

Deadline for Compliance:

Jan. 1, 2004 ? For newly purchased Point of Sale (POS) PIN Entry Devices should pass testing by a Visa recognized laboratory and approved by Visa.

July 1, 2010 ? Mandates that every POS PIN Entry Devices must pass and get approved by PCI SSC from one of its recognized laboratories.

It Means ? Merchants/restaurant owners have 2 years to replace older, un-approved PEDs.

Payment Card Industry (PCI) Do’s

• Have a routine vulnerability scans of your POS systems.

• Do security awareness training for all of your staff.

• Audits for system access.

• You must your system activity logs.

• Separated employees should no longer have access privileges.

• Do install software patches.

• Be serious when it comes to any threats, have an incident response plan.

PCI Don’ts

• Avoid storing or archiving whole credit card numbers.

• Transmitting credit card information unencrypted should not be practiced.

• With Payment Card Industry, it is not about making you compliant with these standards – it’s all about keeping you and your customers protected.

PCI’s Effect on Restaurateurs

Given consumers’ expectation of ever-present acceptance of credit and debit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:

Reputation / Image

For a highly competitive business – a restaurateur does not want to be named in the media as the place were card data was stolen.

Protects Your Credit / Debit Card Payments Acceptance Ability – failure to comply and/or a breach can risk a restaurant owner’s ability to accept credit/debit payments. In many cases, credit/debit payments account for 80% to 90% of transactions. Losing your restaurant’s ability to accept credit cards can reduce your customers.

Impact of State Privacy Laws

A breach that discloses individual’s credit card data with any of the 40+ States governed with privacy laws may experience double impact on the side of the restaurateur. Being off-side with PCI might result in fines and litigation costs. Being off-side with State Privacy Laws is a crime with potentially more serious penalties.

Complying / Security Strategy

• Be sure you are using a PA?DSS or PABP validated POS system

• Make sure you’re using an approved PED

• Have regular security awareness training for your staff – particularly supervisors

• Conducting a background check on your employees that has administrative access to your system is a must

• Have your staff sign a ‘Confidentiality Agreement’

• If you’re not sure how to complete the PCI Self Assessment Questionnaire (SAQ), why not ask?

• If gaps in PCI compliance are identified, develop a realistic plan to straighten it out

• Be matured in sustaining compliance

• Accessing controls

• In system and device management, do have a dual factor

• Proper storing of your strong passwords and secure passwords

• Keep monitoring system activities for possible attacks and record evidences

• Control wireless access points

• Always maintain a secure configuration

• Segment networks

• Maintain an Incident Response Plan and Test It

• Testing and auditing the cardholder environment

It may be a discouraging task on your first try but when all the above are in place, ongoing PCI compliance is not an expensive undertaking. Besides, it’s good for you business to practice protecting the sensitive information that your customers entrust with you.

Do You Have Any Questions?

For more information and advice on this topic you can quickly contact a Restaurant POS professional serving your area at www.POS-For-Restaurants.com

The author of this article is the Vice President of Customer Relations at
POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.

The Risk of non-PCI Compliance – video

Technorati Tags: Point of Sale, Point of Service, POS, restaurant automation, restaurant computer, restaurant hardware, restaurant point of sale, Restaurant pos, restaurant pos equipment, restaurant pos quote, restaurant pos solution, restaurant software