Retail and Restaurant Point of Sale: PCI & Credit Card Security Background

The PCI & Credit Card Security is established to protect your customers as well as your business' reputation. With these standard, you can be know as the business that takes good care of it's customers' sensitive data, thus increasing traffic.
Spread the Word
Listed Under

Point Of Sale
Restaurant Pos
Restaurant Point Of Sale
Restaurant Pos System
Pos Systems
Restaurant Pos Equipment

• Pos
• Restaurant pos
• Point of sale


Sept. 7, 2009 - PRLog -- PCI & Credit Card Security: Background

Restaurateurs and their customers have long been enjoying the convenience they get on credit and debit cards for many years. However, given the high and rapid increase cost and frequency of credit fraud, major card brands such as Visa, MasterCard, American Express, Discover and JCB have taken preventive measures to safeguard their stakeholders.

IBM created the mag stripe on credit cards in 1968 and became the industry standard. Since the track data is easy to read and duplicate on the mag stripe, the branded cards, the Payment Card Industry Security Standards Council built a set of standards for securing cardholder data, and it begins with the directive: ‘Don’t store track data.’

The Standards of PCI

There's the three-pronged approach that the PCI Security Standards Council took for protecting consumers, merchants/restaurateurs and banks:

   * PCI DSS (Payment Card Industry Data Security Standard) ‐ includes all entities that store, process, or transmit cardholder data: Merchants, restaurateurs, service providers, processors, etc.

Deadline for Compliance: January 2007 (deadlines are long passed)

What it Means – All restaurateurs (regardless of size) should complete and submit a PCI Self-Assessment Questionnaire each year to their Acquiring Bank.

   * Payment Application Data Security Standard (PA-DSS) ‐ involves all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point of Sale (POS) application developers)

Deadlines for Compliance:

Oct. 1, 2008 ‐ Only the software that is compliant with the new payment application security standards must be used by agents, merchants and payment processors.

Oct. 1, 2009 ‐ Termination of any noncompliant payment applications that merchants might still have in their environments will be required.

July 1, 2010 ‐ Mandates the use of only those payment applications that support the new standards.

It Means – If, after the deadline, a merchant/restaurateur is not running a PA DSS-validated application, they will automatically fail their PCI assessment and possibly may lose their ability to accept credit cards.

   * Pin Entry Devices (PED) Standard – applies to all PEDs and it aims to ensure that the cardholder’s PIN, and any sensitive information are protected consistently at a PIN acceptance device, like your resident keys.

Deadline for Compliance:

Jan. 1, 2004 ‐ All newly purchased Point-of-Sale (POS) PIN Entry Devices must have passed testing by a Visa recognized laboratory and been approved by Visa.

July 1, 2010 ‐ Mandates that all deployed POS PEDs must have passed testing by a PCI recognized laboratory and been approved by the PCI SSC.

What this Means ‐ All Merchants/restaurant owners will have 2 years to replace older, un-approved PEDs.

The Do's With Payment Card Industry (PCI)

   * Do routine vulnerability scans of your systems.

   * Do security awareness training for all of your staff.

   * Do audits of system access.

   * Do monitor your system activity logs.

   * Separated employees should no longer have access privileges.

   * Do install software patches.

   * When it comes to any threats, be serious - have an incident response plan in place.

The Don’ts of Payment Card Industry (PCI)

   * You must not store or archive whole credit card numbers.

   * Never transmit credit card information unencrypted.

   * PCI is not simply about proving you are compliant with the standards – it’s about making your customers safe as well as your business.

What Restaurateurs Get From PCI

Given consumers’ expectation of omnipresent acceptance of using credit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:

Reputation / Image

For a highly competitive business – an operator does not want to be named in the media as the place were a card data was breached.

Protects Your Credit / Debit Card Payments Acceptance Ability - neglecting the rules and/or a breach can risk a merchants'/restaurateur’s ability to accept credit/debit payments. There are several cases that 80% to 90% of transactions are from credit/debit card accounts. Losing your restaurant's ability to accept credit cards means reduced traffic/customers.

Impact of State Privacy Laws

By not following the set of rules that discloses personal credit card information in one of the 40+ States with privacy laws may have a double impact on a restaurateur. Being off-side with PCI might result in penalties and lawsuit costs. Being off-side with State Privacy Laws is a felony with potentially more serious consequences.

Complying / Security Strategy

   * By making sure your restaurant/store uses only PA‐DSS or PABP validated POS systems

   * Make sure you're using an approved PED

   * Have regular security awareness training for your staff - particularly supervisors

   * Conducting a background check on your employees with administrative access to your system is a must

   * Have your staff sign a ‘Confidentiality Agreement’

   * Carefully and accurately complete the PCI Self Assessment Questionnaire (SAQ) – if you are not sure – ask

   * If you notice gaps in the PCI compliance, develop a realistic plan to correct them

   * Be matured in sustaining compliance

   * Accessing controls

   * Always have double factor for system and device management

   * Strong passwords and secure password storage

   * Regularly monitor system activities for potential attacks and record evidences

   * Controlling your wireless access points

   * Maintain a secure configuration

   * Section each network

   * Maintain an Incident Response Plan and Test It

   * Testing and auditing the cardholder environment

It may be difficult task on your first try but when everything's in place, ongoing PCI compliance is not an expensive undertaking. It is good business practice to protect the sensitive information that your customers entrust with you.


Want To Ask a Point of Sale (POS) Expert?

You can visit anytime for more information or advice about this topic, a Restaurant POS professional serving your area will be willing to answer your questions.

The author of this article writes for - a VP of Customer Relations with over 20 years experience in the restaurant point of sale industry.


# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!
Email:*** Email Verified
Tags:Pos, Point Of Sale, Restaurant Pos, Restaurant Point Of Sale, Restaurant Pos System, Pos Systems, Restaurant Pos Equipment
Industry:Pos, Restaurant pos, Point of sale
Location:United States
Account Email Address Verified     Disclaimer     Report Abuse

Like PRLog?
Click to Share