Complying With PCI & Credit Card Security: Retail and Restaurant POS

Here's a simple checklist for a PCI & Credit Card Security Standards, so that you'd know exactly what do in order to comply with it.
Spread the Word
Listed Under

* Pos
* Point Of Sale
* Pos Systems
* Pos Software
* Restaurant Pos
* Restaurant Point Of Sale
* Restaurant Pos System
* Pos Terminal

* Pos
* Restaurant pos
* Point of sale

* US

Sept. 7, 2009 - PRLog -- PCI and Credit Card Security Background

Restaurateurs and their customers have long been enjoying the convenience brought by credit and debit cards for many years. However, given the high and rapid increase cost and frequency of credit fraud, well established card brands (Visa, MasterCard, American Express, Discover and JCB) have taken steps to safeguard all stakeholders.

In 1968, IBM invented the magnetic stripe on credit cards and became the industry standard. Given that the track data on the mag stripe is easy to read and duplicate, the branded cards, the Payment Card Industry (PCI) Security Standards Council built a set of standards protect cardholder data that begins with the directive: ‘Don’t store track data.’

The PCI Standards

There's the three-pronged approach that the PCI Security Standards Council took to protect consumers, banks and merchants/restaurateurs:

   * Payment Card Industry Data Security Standard (PCI DSS) ‐ involves all entities that store, process, or transmit cardholder data: Merchants, restaurateurs, service providers, processors, etc.

Deadline for Compliance: January 2007 (deadlines are long passed)

What this Means – All restaurateurs (regardless of size) must complete and submit a PCI Self-Assessment Questionnaire annually to their Acquiring Bank.

   * PA‐DSS (Payment Application Data Security Standard) ‐ it covers all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sale (POS) application developers)

Deadlines for Compliance:

Oct. 1, 2008 ‐ Payment processors, agents and merchants must use software that is compliant with the new payment application security standards.

Oct. 1, 2009 ‐ All merchants will be required to start terminating the use of any non-compliant payment applications that they might still have in their environments.

July 1, 2010 ‐ Mandatory use of only the payment applications that complies with the new standards.

It Means – After these deadlines, merchants/restaurateurs that are still using a non-PA DSS-validated application, they automatically fail the PCI assessment and could lose their ability to accept credit cards.

   * Pin Entry Devices (PED) Standard – embraces all PEDs and is aimed at ensuring that the cardholder’s personal identification number or PIN, including any sensitive information such as resident keys, are protected consistently at a PIN acceptance device.

Deadline for Compliance:

Jan. 1, 2004 ‐ All newly purchased Point-of-Sale (POS) PIN Entry Devices must have passed testing by a Visa recognized laboratory and been approved by Visa.

July 1, 2010 ‐ Mandates that every Point of Sale (POS) PEDs must pass and get approved by PCI SSC from one of its recognized laboratories.

What this Means ‐ Merchants/restaurant owners have two years to replace older, un-approved PEDs.

The Do's With Payment Card Industry (PCI)

   * Do routine vulnerability scans of your systems.

   * Do security awareness training for all of your staff.

   * Audit system access.

   * System activity logs should be monitored.

   * Remove access privileges of separated employees.

   * Install software patches for your system.

   * Do take any threats seriously ‐ have an incident response plan in place.

Payment Card Industry (PCI) Don’ts

   * Refrain your self from storing or archiving whole credit card numbers.

   * Don’t transmit credit card data unencrypted.

   * With PCI, it's not simply about proving you are compliant with the standards – it’s about keeping your customers safe as well as your business.

How PCI Affects Restaurateurs

Given consumers’ expectation of universal acceptance of credit and debit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:

For Business Reputation / Image

In any competitive business – no restaurant owner would want to be named as the eatery where card data was stolen.

Protects Ability to Accept Credit / Debit Card Payments - non-compliance and/or a breach can endanger a restaurant owner's ability to accept credit/debit payments. There are many cases that 80% to 90% of transactions are from credit/debit card accounts. Losing your store's ability to accept credit cards means reduced customers.

Impact of State Privacy Laws

A breach that discloses personal credit card information with any of the 40+ States governed with privacy laws may experience double impact on the side of the restaurateur. Being off-side with PCI could result in fines and litigation costs. Being off-side with State Privacy Laws is a felony with potentially more serious penalties.

Compliance / Security Strategy

   * Ensure you are using a PA‐DSS or PABP validated POS system

   * Make sure you're using an approved PED

   * Have regular security awareness training for your staff - particularly supervisors

   * Doing a background check on your employees with administrative access to your system is a must

   * Have a ‘Confidentiality Agreement’ contract with your employees

   * Carefully and accurately complete the PCI Self Assessment Questionnaire (SAQ) – if you are not sure – ask

   * If gaps in PCI compliance are identified, develop a realistic plan to correct them

   * Maintain mature controls to sustain compliance

   * Accessing controls

   * Dual factor for system and device management

   * Proper storing of your strong passwords and secure passwords

   * Monitoring to detect attack and record evidence

   * Controlling your wireless access points

   * Maintain secure configuration

   * Section each network

   * Have an Incident Response Plan and test it to make sure that it's always ready for action

   * Testing and auditing the cardholder environment

It may be an overwhelming task the first go around but when everything else is in place, ongoing PCI compliance is not an expensive undertaking. Besides, it's good for you business to practice protecting the sensitive information that your customers trust upon you.


Any Questions?

You can visit anytime for more information or advice about this topic, a Restaurant POS professional serving your area will be willing to answer your questions.

The author of this article writes for - a VP of Customer Relations with over 20 years experience in the restaurant point of sale industry.


# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!
Email:*** Email Verified
Tags:Pos, Point Of Sale, Pos Systems, Pos Software, Restaurant Pos, Restaurant Point Of Sale, Restaurant Pos System, Pos Terminal
Industry:Pos, Restaurant pos, Point of sale
Location:United States
Account Email Address Verified     Disclaimer     Report Abuse
POS For Restaurants News
Most Viewed
Daily News

Like PRLog?
Click to Share