Restaurant Point of Sale System PCI & Credit Card SecuritySince the day magnetic strip cards was introduced to people, both restaurant owners and their diners have been enjoying the convenience of accepting and using credit and debit cards. However, given the sky high cost and frequency of fraud on credit cards, well established card brands (Visa, MasterCard, American Express, Discover and JCB) are already taking steps to safeguard their card holders.It was in 1968 when IBM invented the magnetic stripe on credit cards and became the industry standard. Given that the track data on the mag stripe can easily be read and duplicated, the branded cards, with the set of standards that the Payment Card Industry (PCI) Security Standards Council has built, it clearly stated the first directive: ‘Don’t store track data.’The Payment Card Industry (PCI) StandardsThe PCI Security Standards Council carried out a three-pronged approach to protecting consumers, banks and merchants/restaurateurs: * PCI DSS (Payment Card Industry Data Security Standard) – embraces all entities that store, process, or transmit cardholder data (Merchants, restaurateurs, service providers, processors, etc.)Deadline for Compliance: Month of January 2007 (deadlines are long passed)What this Means – Restaurateurs, regardless of the size, must complete and submit a PCI Self-Assessment Questionnaire to their Acquiring Bank every year. * Payment Application Data Security Standard (PA-DSS) – covers all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (Point-of-Sale (POS) application developers)Deadlines for Compliance:Oct. 1, 2008 : Payment processors, agents and merchants must use software that is compliant with the new payment application security standards.Oct. 1, 2009 : Terminate any noncompliant payment applications that merchants might still have in their environments will be required.July 1, 2010 : Mandatory use of only the payment applications that complies with the new standards.What this Means – After these deadlines, merchants/restaurateurs that are still running a non-PA DSS-validated application, they automatically fail the PCI assessment and may lose their ability to accept credit cards. * PED (Pin Entry Devices) Standard – applies to all PEDs and it aims to ensure that the cardholder’s personal identification number (PIN), including any sensitive information such as resident keys, are protected consistently at a PIN acceptance device.Deadline for Compliance:Jan. 1, 2004 : To all newly purchased Point of Sale (POS) PIN Entry Devices, they must pass by a recognized laboratory of Visa and be approved by Visa.July 1, 2010 : Mandates that every POS PIN Entry Devices must pass and get approved by PCI SSC from one of its recognized laboratories.Which Means : Merchants/restaurant owners have 2 years to replace older, un-approved PEDs.PCI Do’s * Make routine vulnerability scan for your POS systems. * Have a security awareness training for your staff. * Do audits of system access. * Monitor system activity logs. * Do remove access privileges of separated employees. * Do install software patches. * Do take any threats seriously – have an incident response plan in place.PCI Don’ts * Refrain your self from storing or archiving whole credit card numbers. * You should not transmit credit card information unencrypted. * With Payment Card Industry, it is not just about making you compliant with the standards – it’s all about protecting your business and your customers.How PCI Affects RestaurateursGiven consumers’ expectation of universal acceptance of credit and debit cards, a restaurateur’s validation that they are protecting their customer’s personal information is good for business:Your Business’ Reputation / ImageIn any competitive business – no restaurateur would want to be referred to as the placed where a personal card data was stolen.Protects Your Credit / Debit Card Payments Acceptance Ability – non-compliance and/or a breach can risk a restaurateur’s ability to accept credit/debit payments. There are many cases that 80% to 90% of transactions are from credit/debit card accounts. Losing the ability to accept credit/debit cards can reduce your customers.Impact of State Privacy LawsBy not following the set of rules that discloses personal credit card information in one of the 40+ States governed by the privacy laws may experience double impact on the side of the merchant/restaurateur. Being off-side with the Payment Card Industry might result in fines and lawsuit costs. Being off-side with State Privacy Laws is a crime punishable by confinement with potentially more serious penalties.Complying / Security Strategy * Ensure you’re using only PA-DSS or PABP validated POS systems * Ensuring that you use approved PEDs * Have regular security awareness training for your staff – particularly supervisors * Doing a background check on your staff that has administrative access to your system is a must * Have your staff sign a ‘Confidentiality Agreement’ * When it comes to your PCI Self Assessment Questionnaire (SAQ), carefully and accurately complete the form and when you’re not sure with your answers, just ask * If gaps in PCI compliance are identified, develop a realistic plan to straighten it out * Maintain mature controls to sustain compliance * Access controls * Always have double factor for system and device management * Strong passwords and secure password storage * Monitoring to detect attack and record evidence * Control wireless access points * Maintain a secure configuration * Section each network * Maintain an Incident Response Plan and Test It * Testing and auditing the cardholder environmentIt may be difficult task the first time but when everything else is in place, ongoing PCI compliance is not an expensive undertaking. Besides, it’s a good practice for businesses to protect the sensitive data that your customers trust upon you.