Is Your Restaurant PCI Compliant?

Last week, BDO’s Maurice Liddell presented a webinar on PCI compliance and the ways restaurants can prepare for changes to data security requirements around the processing of payment cards. According to data from a Nilson Report,  it is estimated that Americans purchased more than $4.4 trillion of goods and services using major payment cards in 2014 and the Payment Card Industry council is focused on keeping these transactions secure.
The Payment Card Industry Council, or PCI, dates back to the late 1990s. However, it wasn’t until 2004 that PCI created the PCI Data Security Standard (DSS). This standard focused on securing all credit card transactions to reduce the number of credit card breaches. Companies are to be assessed against this standard on an annual basis and to assist in securing the data in payment card transactions at every step, from transaction to settlement. Over the years, PCI-DSS has evolved through several iterations taking into account new and evolving technologies to better secure the network against payment card breaches. At a basic level, merchants are classified into one of four categories depending on purchase volume and number of transactions conducted yearly. These transaction numbers are used to determine how much proof must be provided to assure compliance.
Maintaining PCI compliance helps improve customer loyalty and purchasing confidence by helping merchants stay ahead of threats and preventing data breaches—thereby minimizing potential risks, including bad press, lawsuits, fines and insurance claims. It’s also important to note that merchants must meet all PCI-DSS requirements to be compliant.
What unique challenges do restaurants face when establishing and maintaining PCI Compliance? They include:
  • Franchises: A breached system within one franchise could impact all franchises. It is in both the franchisor’s, and all of the franchisees’, best interest to make sure all related payment systems are in compliance with PCI.
  • Shared access to POS systems: This is a practice that, while common, can increase the restaurant’s liability in the event of a breach, as it reduces the restaurant’s ability to pinpoint the liable party. Creating individual logins for all POS systems allows merchants to quickly and easily see who had access to the system at the time of a breach.
  • Misconfigured public Wi-Fi access points: Public Wi-Fi presents additional risks, as it can present another potential avenue for hackers to gain access to POS systems. Merchants can mitigate this risk by placing the POS systems on a separate wired network.
  • Unauthorized devices or card skimmers: Because restaurant POS systems are often located in areas hidden from public view, the potential exists for an individual to attach a device that would allow them to breach the POS system by installing a rogue device such as a card skimmer, without the knowledge of the merchant. Restaurants should enlist a trusted employee to routinely, manually inspect its POS terminals for suspicious activity.
 In light of these unique challenges, there are a number of steps that restaurants can take to ensure compliance, including:
  • Build and maintain a secure network and system: Install and maintain a proper firewall configuration, use secure passwords for internal systems and implement other security parameters.
  • Protect cardholder data: Protect data stored internally and encrypt any transmission of cardholder data across open, public networks.
  • Maintain a vulnerability management program: Protect all systems against malware, regularly update anti-virus software and develop and maintain secure systems and applications.
  • Implement strong access control measures: Restrict access to stored cardholder data to a need-to-know basis. Identify and authenticate access to all system components and restrict physical access to cardholder data.
  • Regularly monitor and test networks: Monitor all access to network resources and cardholder data and regularly test security systems.
  • Maintain an up-to-date and thorough information security policy: Maintain a policy that addresses IT security for all personal information and points of access.
If you missed the webinar, click here to access the recording.