Restaurant PCI Compliance Tips
What is PCI Compliance?
You’ve probably heard of the “PCI” security requirements for merchants. PCI is short for PCI DSS (Payment Card Industry Data Security Standard) which is security standard developed by the major card brands (Visa®, MasterCard®, Discover®, Amex and others) to help protect credit cardholder data. If you accept credit cards, you are required to be PCI compliant to protect your customers’ data, and to safeguard against the threat of a data compromise also known as a breach.
What is a data breach?
A data breach occurs when a vulnerability in your computer network or POS is exploited by a hacker or by a physical manipulation of your POS environment. A breach by a hacker occurs over the internet when malware or other malicious software is installed in the card data environment. The malware collects any unencrypted card data that it can find, such as an unencrypted card number at the time of the card swipe. A breach from a physical manipulation occurs when a device is physically installed on a machine in your network with the intent of capturing cardholder data. A data breach can result in thousands of dollars in fines from banks and card brands. A breach usually requires a forensic investigation to discover the cause of the breach, which can be very costly. Merchants are often held financially responsible for a percentage of the fraud losses resulting from the breach and the cost of replacing the cardholders’ compromised cards. A breach can also cost intangible value in the form of deteriorated trust with your customer base.
The top 3 things you need to know about PCI
1. PCI standards hold merchants accountable for the business policies (or lack thereof) that lead to a data breach.
2. Merchants are responsible for their employees’ actions with regard to card data security.
3. Merchants are held responsible for securing their business environment, which is not limited to having a compliant POS in order to protect card data.
The top 3 actions you should take
1. Create business policies surrounding the handling of the payment card data environment.
- Create a process and schedule for changing passwords that access the POS. Passwords should be changed by all employees every 90 days.
- Ensure that your POS is not used for internet access outside of processing payment cards.
- Store any receipts, invoices or card imprints appropriately in a physically secure location.
2. Employee Awareness and Education:
- Hire the right staff.
- One type of data theft is skimming which involves an unscrupulous employee who uses a handheld device to steal data while handling customer cards for payment. Hire carefully to reduce the likelihood of dishonest staff.
- Train employees.
- Educate employees to look for unauthorized peripheral devices on the POS and other suspicious activity.
- Educate employees on the business policies regarding safe credit card processing and data management.
3. Maintain Secure Computer Networks:
Segmentation: Segmentation is the process of keeping systems separate from each other. Segmentation of systems keeps your computing networks separated from one another to ensure that a network vulnerability, such as easy access to a wireless network, does not allow a hacker to find a way to your POS and payment card data.
- Start by keeping the POS behind its own firewall and on its own router away from other, weaker systems like your customer accessible wireless internet service and your back office computer or any other computers used for surfing the internet.
- Do not allow internet usage on the POS for any reason other than payment card processing. Card processing should be handled directly through your POS software.
Maintain a Vulnerability Management Program
- Keep anti-virus software programs up to date.
- Keep the system secure by regularly updating your software from the vendor.
- Software vulnerabilities are found all the time in all types of software: updating the POS or even operating system software by downloading the (usually) free patches helps make your system more secure.
- Restart your computer and allow the updates to run to ensure that your systems are in top shape. Restarting also clears unstable memory from the computer.
Use a self-service PCI DSS compliance program
Because compliance and third party vulnerability scans are required, merchants should consider using a self-service PCI DSS program to assist with meeting the requirements. Vantiv Integrated Payments offers merchants the tools to achieve and maintain compliance quickly and easily through the Merchant SecureAssist® solution. This solution includes an online “wizard” that guides merchants through the compliance process one step at a time, as well as real time vulnerability scans on your external facing IP address looking for vulnerabilities that need to be addressed.
Whether you decide to go it alone, or use a compliance assistance program, Vantiv can help. Contact us and speak with a security expert today.