A Guide for Restaurant and Retail POS PCI & Credit Card Security

Let's have a background check of what the PCI & Credit Card Security Standards holds, so that you could be aware of the things you should be doing to make sure your business pass this one.
Spread the Word
Listed Under

Point Of Sale
Restaurant Pos
Restaurant Point Of Sale
Restaurant Software
Restaurant Hardware
Pos Software

• Pos
• Restaurant pos
• Point of sale


Sept. 7, 2009 - PRLog -- PCI & Credit Card Security: Background

Restaurateurs and their customers have long been enjoying the convenience brought by credit and debit cards for many years. However, given the sky high cost and frequency of fraud on credit cards, the major card brands such as Visa, MasterCard, American Express, Discover and JCB are taking steps to safeguard their clients.

IBM created the magnetic stripe on credit cards in 1968 and became the industry standard. Given that the track data on the mag stripe is easy to read and duplicate, the card brands, with the set of standards that the Payment Card Industry Security Standards Council has built, it clearly stated the first directive: ‘Don’t store track data.’

The PCI Standards

The three-pronged approach that the PCI Security Standards Council took for protecting consumers, merchants/restaurateurs and banks:

   * PCI DSS (Payment Card Industry Data Security Standard) ‐ involves all entities that store, process, or transmit cardholder data (Merchants, restaurateurs, service providers, processors, etc.)

Deadline for Compliance: Month of January 2007 (deadlines are long passed)

What it Means – All restaurateurs (regardless of size) must complete and submit a PCI Self-Assessment Questionnaire every year to their Acquiring Bank.

   * Payment Application Data Security Standard (PA-DSS) ‐ embraces all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point of Sale (POS) application developers)

Deadlines for Compliance:

Oct. 1, 2008 ‐ Only the software that is compliant with the new payment application security standards must be used by agents, merchants and payment processors.

Oct. 1, 2009 ‐ All merchants will be required to start terminating the use of any non-compliant payment applications that they might still have in their environments.

July 1, 2010 ‐ Mandatory use of only the payment applications that support the new standards.

It Means – After these deadlines, merchants/restaurateurs that are still running a non-PA DSS-validated application, they automatically fail the PCI assessment and possibly lose their ability to accept credit cards.

   * Pin Entry Devices (PED) Standard – covers all PEDs and it aims to ensure that the cardholder’s personal identification number or PIN, including any sensitive information such as resident keys, are protected consistently at a PIN acceptance device.

Deadline for Compliance:

Jan. 1, 2004 ‐ For newly purchased Point of Sale (POS) PIN Entry Devices, they must pass by a recognized laboratory of Visa and be approved by Visa.

July 1, 2010 ‐ Mandates that every POS PEDs must pass and get approved by PCI SSC from one of its recognized laboratories.

It Means ‐ Merchants/restaurant owners have 2 years to replace older, un-approved PEDs.

Payment Card Industry (PCI) Do's

   * Do routine vulnerability scans of your systems.

   * Do security awareness training for all of your staff.

   * Audit system access.

   * Monitor your system activity logs.

   * Separated employees must have their access privileges removed.

   * Install software patches.

   * Be serious when it comes to any threats, device an incident response plan.

The Don’ts of Payment Card Industry (PCI)

   * You mustn't store or archive whole credit card numbers.

   * Do not transmit credit card information unencrypted.

   * With Payment Card Industry, it is not simply about proving you are compliant with the standards – it's all about keeping you and your customers protected.

What Restaurateurs Get From PCI

Given consumers’ expectation of ubiquitous acceptance of credit and debit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:

Your Business' Reputation / Image

In a competitive business – no restaurant owner would want to be referred to as the placed where card data was stolen.

Protects Your Credit / Debit Card Payments Acceptance Ability - non-compliance of the rules and/or a breach can risk a restaurateur’s ability to accept credit/debit payments. In many cases, credit/debit payments account for 80% to 90% of transactions. Losing the ability to accept credit/debit cards = reduced traffic/customers.

Impact of State Privacy Laws

By not following the set of rules that discloses individual's credit card info with any of the 40+ States with privacy laws may have a double impact on a restaurateur. Being off-side with the Payment Card Industry may result in fines and litigation costs. Being off-side with State Privacy Laws is a felony with potentially more serious consequences.

Compliance / Security Strategy

   * By making sure you are using a PA‐DSS or PABP validated POS system

   * Ensuring that you use approved PEDs

   * Conduct regular security awareness training for your staff, especially for your supervisors

   * Have background checks on any staff with administrative access to your system

   * Have your staff sign a ‘Confidentiality Agreement’

   * Carefully and accurately complete the PCI Self Assessment Questionnaire (SAQ) – if you are not sure – ask

   * If you experience gaps in the PCI compliance, develop a realistic plan to straighten it out

   * Maintain mature controls to sustain compliance

   * Access controls

   * Always have double factor for system and device management

   * Strong passwords and secure password storage

   * Monitoring to detect attack and record evidence

   * Control wireless access points

   * Maintain a secure configuration

   * Segment networks

   * Have an Incident Response Plan and test it to make sure that it's always ready when needed

   * Test and audit the cardholder environment like your business depended on it

It may be a daunting task on your first try but when the above are in place, ongoing PCI compliance is not an expensive undertaking. Besides, it's a good practice for businesses to protect the sensitive information that your customers trust upon you.


Want To Ask a Point of Sale (POS) Expert?

You can visit http://www.pos-for-restaurants.com anytime for more information or advice about this topic, a Restaurant POS professional serving your area will be willing to answer your questions.

The author of this article writes for POS-For-Restaurants.com - a VP of Customer Relations with over 20 years experience in the restaurant point of sale industry.


# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!
Email:***@kisse.us Email Verified
Tags:Pos, Point Of Sale, Restaurant Pos, Restaurant Point Of Sale, Restaurant Software, Restaurant Hardware, Pos Software
Industry:Pos, Restaurant pos, Point of sale
Location:United States
Account Email Address Verified     Disclaimer     Report Abuse

Like PRLog?
Click to Share