Restaurant PCI Compliance
PCI Compliance Tips for Your Restaurant
Get started achieving and maintaining compliance with this guide
What is PCI Compliance?
You’ve probably heard of the “PCI” security requirements for merchants. PCI is short for PCI DSS (Payment Card Industry Data Security Standard) which is security standard developed by the major card brands (Visa®, MasterCard®, Discover®, Amex and others) to help protect credit cardholder data. If you accept credit cards, you are required to be PCI compliant to protect your customers’ data, and to safeguard against the threat of a data compromise also known as a breach.
What is a data breach?
A data breach occurs when a vulnerability in your computer network or POS is exploited by a hacker or by a physical manipulation of your POS environment. A breach by a hacker occurs over the internet when malware or other malicious software is installed in the card data environment. The malware collects any unencrypted card data that it can find, such as an unencrypted card number at the time of the card swipe. A breach from a physical manipulation occurs when a device is physically installed on a machine in your network with the intent of capturing cardholder data. A data breach can result in thousands of dollars in fines from banks and card brands. A breach usually requires a forensic investigation to discover the cause of the breach, which can be very costly. Merchants are often held financially responsible for a percentage of the fraud losses resulting from the breach and the cost of replacing the cardholders’ compromised cards. A breach can also cost intangible value in the form of deteriorated trust with your customer base.
The top 3 things you need to know about PCI
PCI standards hold merchants accountable for the business policies (or lack thereof) that lead to a data breach.
Merchants are responsible for their employees’ actions with regard to card data security.
Merchants are held responsible for securing their business environment, which is not limited to having a compliant POS in order to protect card data.
The top 3 actions you should take
Create business policies surrounding the handling of the payment card data environment.
Create a process and schedule for changing passwords that access the POS. Passwords should be changed by all employees every 90 days.
Ensure that your POS is not used for internet access outside of processing payment cards.
Store any receipts, invoices or card imprints appropriately in a physically secure location.
Employee Awareness and Education:
Hire the right staff.
One type of data theft is skimming which involves an unscrupulous employee who uses a handheld device to steal data while handling customer cards for payment. Hire carefully to reduce the likelihood of dishonest staff.
Educate employees to look for unauthorized peripheral devices on the POS and other suspicious activity.
Educate employees on the business policies regarding safe credit card processing and data management.
Maintain Secure Computer Networks:
Segmentation is the process of keeping systems separate from each other. Segmentation of systems keeps your computing networks separated from one another to ensure that a network vulnerability, such as easy access to a wireless network, does not allow a hacker to find a way to your POS and payment card data.
Start by keeping the POS behind its own firewall and on its own router away from other, weaker systems like your customer accessible wireless internet service and your back office computer or any other computers used for surfing the internet.
Do not allow internet usage on the POS for any reason other than payment card processing. Card processing should be handled directly through your POS software.
Maintain a Vulnerability Management Program
Keep anti-virus software programs up to date.
Keep the system secure by regularly updating your software from the vendor.
Software vulnerabilities are found all the time in all types of software: updating the POS or even operating system software by downloading the (usually) free patches helps make your system more secure.
Restart your computer and allow the updates to run to ensure that your systems are in top shape. Restarting also clears unstable memory from the computer.
Use a self-service PCI DSS compliance program
Because compliance and third party vulnerability scans are required, merchants should consider using a self-service PCI DSS program to assist with meeting the requirements. Vantiv Integrated Payments offers merchants the tools to achieve and maintain compliance quickly and easily through the Merchant SecureAssist® solution. This solution includes an online “wizard” that guides merchants through the compliance process one step at a time, as well as real time vulnerability scans on your external facing IP address looking for vulnerabilities that need to be addressed.
Whether you decide to go it alone, or use a compliance assistance program, Vantiv Integrated Payments can help. Contact us and speak with a security expert today.
Visa, MasterCard, American Express, and Discover are registered marks belonging to one or more unaffiliated third parties that do not endorse or sponsor Vantiv Integrated Payments, LLC.
The foregoing is provided for information purposes only, and is not legal advice. You should review your compliance obligations with your own legal or other advisors.
- More Secure Ways To Pay
- Small merchants use tokenization
- What merchants should know
- Merchant cash advance for small business
- What is a merchant cash advance
- Bridging the Gap Part 1: New Customer Expectations
- Bridging The Gap Part 2: Merchant's current reality
- Bridging The Gap Part 3: Digital Commerce
- Breach Report
- Safe and Sound: 4 Tips to Secure Your Business
- Securing the Customer Experience
- Top Five Payment Technologies You Should Not Ignore
- Ways Merchant Can Hurdle Mobility POS Adoption Challenges
- The Time is Now to Develop a Mobile App
- Reasons Consumers Shop Online
- PCI for Retailers
- Loyalty and Payments
- E2E and Tokenization For Your Business
- Avoiding Fraud on your ecommerce site
- The Top 3 Data Breaches of 2014
- Today's Emerging Payments Trends
- EMV: What You Need To Know
- Learn What's New With PCI 3.0
- Integrated Payments and Security
- The Four Levels of PCI Compliance
- PCI Compliance For Restaurants
- POS Security Best Practices
- What does it take to be PCI compliant?
- Beyond cuisine
- What is PCI Compliance
- Article-More repeat business for your restaurant
- Protect Customer Data at the POS
At Your Fingertips
The impending shift in liability for card-present fraud is driving a transition to EMV. Are you ready? This handbook can help you prepare.
Vantiv Integrated Payments is ready for EMV and has the technology and a network of providers that merchants need to enter the new era of payments.