Point of Sale Systems: PCI & Credit Card Security Background

Complying with the rules set by the PCI & Credit Card Industry doesn't mean that they're pressuring the food-service industry or other retail stores. It simply means, doubling the protection they give their valued customers.
Spread the Word
Listed Under

* Pos
* Point Of Sale
* Restaurant Pos
* Restaurant Point Of Sale
* Restaurant Pos System
* Pos Systems
* Restaurant Pos Equipment

* Pos
* Restaurant pos
* Point of sale

* US

Sept. 7, 2009 - PRLog -- Ever since magnetic strip cards were developed, both restaurateur and their diners have been enjoying the convenience of accepting and using credit and debit cards. However, given the skyrocketing cost and frequency of fraud on credit cards, well established card brands such as Visa, MasterCard, American Express, Discover and JCB have taken steps to safeguard all stakeholders.

IBM created the mag stripe on credit cards in 1968 which became the industry standard. Since the track data is easy to read and duplicate on the mag stripe, the card brands, with the set of standards that the Payment Card Industry Security Standards Council has built, it clearly stated the first directive: ‘Don’t store track data.

The Standards of the Payment Card Industry (PCI)

The three-pronged approach that the PCI Security Standards Council took to protect consumers, banks and merchants/restaurateurs:

   * Payment Card Industry Data Security Standard (PCI DSS) ‐ embraces all entities that store, process, or transmit cardholder data: Merchants, restaurateurs, service providers, processors, etc.

Deadline for Compliance: Month of January 2007 (deadlines are long passed)

It Means – Restaurant owners, regardless of their establishments' size, must complete and submit a PCI Self-Assessment Questionnaire to their Acquiring Bank annually.

   * Payment Application Data Security Standard (PA-DSS) ‐ including all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sales (POS) application developers)

Deadlines for Compliance:

Oct. 1, 2008 ‐ Only the software that is compliant with the new payment application security standards must be used by agents, merchants and payment processors.

Oct. 1, 2009 ‐ Terminate any noncompliant payment applications that merchants might still have in their environments will be required.

July 1, 2010 ‐ Mandatory use of only the payment applications that complies with the new standards.

It Means – If, after the deadline, a merchant/restaurateur is not running a PA DSS-validated application, means that they automatically fail their PCI assessment and could possibly lose their ability to accept credit cards.

   * Pin Entry Devices (PED) Standard – embraces all PEDs and is aimed at ensuring that the cardholder’s personal identification number or PIN, including any sensitive information such as resident keys, are protected consistently at a PIN acceptance device.

Deadline for Compliance:

Jan. 1, 2004 ‐ All newly purchased Point-of-Sale (POS) PIN Entry Devices must have passed testing by a Visa recognized laboratory and been approved by Visa.

July 1, 2010 ‐ Mandates that all deployed Point of Sale (POS) PIN Entry Devices must have passed testing by a PCI recognized laboratory and been approved by the PCI SSC.

This Means ‐ All Merchants/restaurant owners will have two years to replace older, un-approved PIN Entry Devices.

The Do's With Payment Card Industry (PCI)

   * Make sure you have a routine vulnerability scanning of your Point of Sale systems (POS).

   * Do security awareness training for all of your staff.

   * Make system access audits.

   * Monitor your system activity logs.

   * Access privileges must be removed for separated employees.

   * Install software patches.

   * Any threats should be taken seriously - have an incident response plan in place.

The Don'ts With Payment Card Industry (PCI)

   * Whole credit card numbers must not be stored or archived.

   * Transmitting credit card information unencrypted should not be practiced.

   * PCI is not simply about proving you are compliant with the standards – it's all about protecting your customers and your business.

What Restaurateurs Get From PCI

Given consumers’ expectation of ubiquitous acceptance of using credit and debit cards, restaurant owners' validation that they are protecting their customers' personal information is helpful for business:

Reputation / Image

In a competitive business – a restaurant owner does not want to be named in the media as the place were a card data was breached.

Protects Your Credit / Debit Card Payments Acceptance Ability - non-compliance of the rules and/or a breach can endanger a restaurateur’s ability to accept credit/debit payments. In many cases, credit/debit payments account for 80% to 90% of transactions. Losing the ability to accept credit/debit cards means reduced customers.

Impact of State Privacy Laws

A failure to meet one's obligations that discloses individual's credit card info in one of the 40+ States with privacy laws may experience double impact on the side of the restaurateur. Being off-side with the Payment Card Industry can result in fines and litigation costs. Being off-side with State Privacy Laws is a felony with possibly more serious consequences.

Compliance / Security Strategy

   * Ensure your restaurant or store uses only PA‐DSS or PABP validated POS systems

   * Ensuring that you use approved PEDs

   * Have regular security awareness training for your staff, especially for your supervisors

   * Have background checks on anyone that has administrative access to your system

   * Have your staff sign a ‘Confidentiality Agreement’

   * When it comes to your PCI Self Assessment Questionnaire (SAQ), carefully and accurately complete the form and when you're not sure with your answers, just ask

   * If gaps in PCI compliance are identified, develop a realistic plan to rectify them

   * Maintain mature controls to sustain compliance

   * Access controls

   * Dual factor for system and device management

   * Strong passwords and secure password storage

   * Monitoring to detect attack and record evidence

   * Controlling your wireless access points

   * Maintain secure configuration

   * Segment networks

   * Have an Incident Response Plan and test it to make sure that it's always ready for action

   * Testing and auditing the cardholder environment

This can be a discouraging task on your first try but when everything else is in place, a PCI compliance is not an expensive work. It is good business practice to protect the sensitive information of your customers.


Want To Ask a Point of Sale (POS) Expert?

You can visit http://www.pos-for-restaurants.com anytime for more information or advice about this topic, a Restaurant POS professional serving your area will be willing to answer your questions.

The author of this article writes for POS-For-Restaurants.com - a VP of Customer Relations with over 20 years experience in the restaurant point of sale industry.


# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!
Email:***@kisse.us Email Verified
Tags:Pos, Point Of Sale, Restaurant Pos, Restaurant Point Of Sale, Restaurant Pos System, Pos Systems, Restaurant Pos Equipment
Industry:Pos, Restaurant pos, Point of sale
Location:United States
Account Email Address Verified     Disclaimer     Report Abuse
POS For Restaurants News
Most Viewed
Daily News

Like PRLog?
Click to Share