It seems like there is news of a restaurant data breach every few days. Restaurants, which sometimes have more lax point of sale (POS) and network security than other merchants, have become attractive targets for hackers. An important step you can take to protect your customers’ payment card data — and your business from the costs and reputation damage a data breach can cause — is complying with PCI security standards.
What are PCI security standards?
The Payment Card Industry Data Security Standard (PCI DSS) “covers technical and operational system components included in or connected to cardholder data.” The standard addresses maintaining a secure network, using PCI compliant hardware and software applications, protecting stored and transmitted cardholder data, and regularly testing systems and processes.
If your restaurant accepts payment cards, you must comply with PCI DSS and must pass an annual compliance assessment. Unfortunately, many merchants focus on passing the annual assessment, but then forget about maintaining PCI compliance the rest of the year. Those lapses in compliance will also create lapses in security that can open the door to cyberattack or data theft.
How is PCI compliance different from EMV compliance?
Europay, Mastercard, Visa (EMV) is a standard for secure card-present payment transactions. EMV technology uses payment cards with microprocessor chips that create unique transaction codes when the card is used, and that make it very difficult to create counterfeit cards. In contrast, PCI security standards cover the entire payment environment. A good way to look at it is that EMV and PCI DSS work together to keep cardholder data safe, each addressing a different aspect of cardholder security.
If my POS vendor is PCI compliant, is my restaurant PCI-compliant?
No. POS hardware manufacturers and software developers must comply with their own set of PCI security standards, but using their solutions does not make you compliant. Merchant compliance includes how you use technology and the security policies and procedures you put in place. The scope of merchant compliance covers far more than just which technology you use.
How can my restaurant comply with PCI security standards?
The first step to comply with PCI DSS is to confirm your merchant level. Levels range from Level 1, which processes more than 6 million transactions per year to Level 4, which processes less than 20,000.
The next step is to learn what is required of businesses in your merchant level, to meet annual assessment requirements.
Finally, follow and maintain compliance with standards that will help you create a secure environment for payment card data. Security measures include:
- Installing and maintaining a firewall to fortify network security.
- Replacing vendor-supplied default passwords with unique passwords and changing them on a regular basis.
- Deploying secure storage for cardholder data.
- Using encryption to protect transmitted data.
- Protecting your restaurant systems with anti-virus software to prevent vulnerability to viruses and allowing hackers to infiltrate them.
- Creating a process to identify security risks, rank them, and address them in order of importance.
- Maintaining strict, user-defined, access control to cardholder data and establishing rules and policies for user-specific access management.
- Establishing rules and policies for visitor/guest access management
- Set rules and policies for user-specific access to data. According to the PCI security standards, each employee with access to your POS and other computer systems should have a unique ID and password. Additionally, restrict physical access to card data — e.g., by keeping back-office computers in a locked room that’s off-limits to employees whose responsibilities don’t entail viewing this information, as well as to guests.
- Compiling detailed audit trails by user and event
- Regulating processes for wireless access to cardholder data
- Establishing, publishing and maintaining a security policy.
Finally, ask for help when needed. Your POS solutions provider can answer questions and provide solutions that help keep you compliant with PCI DSS, and more importantly, keep your restaurant’s systems and your customers’ data secure.