| From the day strip cards was introduced to the | | | | * Make system access audits. |
| people, both restaurateur and their diners have been | | | | * Monitor your system activity logs. |
| enjoying the convenience of accepting and using credit | | | | * Access privileges must be removed for separated |
| and debit cards. However, given the skyrocketing cost | | | | employees. |
| and frequency of fraud on credit cards, well | | | | * Install software patches. |
| established card brands such as Visa, MasterCard, | | | | * Any threats should be taken seriously - have an |
| American Express, Discover and JCB have taken | | | | incident response plan in place. |
| steps to safeguard all stakeholders. | | | | The Don'ts With Payment Card Industry (PCI) |
| IBM created the mag stripe on credit cards in 1968 | | | | * Whole credit card numbers must not be stored or |
| which became the industry standard. Since the track | | | | archived. |
| data is easy to read and duplicate on the mag stripe, | | | | * Transmitting credit card information unencrypted |
| the card brands, with the set of standards that the | | | | should not be practiced. |
| Payment Card Industry Security Standards Council has | | | | * PCI is not simply about proving you are compliant |
| built, it clearly stated the first directive: ‘Don’t | | | | with the standards – it's all about protecting your |
| store track data.’ | | | | customers and your business. |
| The Standards of the Payment Card Industry (PCI) | | | | What Restaurateurs Get From PCI |
| The three-pronged approach that the PCI Security | | | | Given consumers’ expectation of ubiquitous |
| Standards Council took to protect consumers, banks | | | | acceptance of using credit and debit cards, restaurant |
| and merchants/restaurateurs: | | | | owners' validation that they are protecting their |
| * Payment Card Industry Data Security Standard (PCI | | | | customers' personal information is helpful for business: |
| DSS) - embraces all entities that store, process, or | | | | Reputation / Image |
| transmit cardholder data: Merchants, restaurateurs, | | | | In a competitive business – a restaurant owner |
| service providers, processors, etc. | | | | does not want to be named in the media as the place |
| Deadline for Compliance: Month of January 2007 | | | | were a card data was breached. |
| (deadlines are long passed) | | | | Protects Your Credit / Debit Card Payments |
| It Means – Restaurant owners, regardless of their | | | | Acceptance Ability - non-compliance of the rules and |
| establishments' size, must complete and submit a PCI | | | | or a breach can endanger a restaurateur’s ability |
| Self-Assessment Questionnaire to their Acquiring Bank | | | | to accept credit/debit payments. In many cases, credit |
| annually. | | | | debit payments account for 80% to 90% of |
| * Payment Application Data Security Standard | | | | transactions. Losing the ability to accept credit/debit |
| (PA-DSS) - including all applications used to store, | | | | cards means reduced customers. |
| process, or transmit cardholder data as part of | | | | Impact of State Privacy Laws |
| authorization or settlement. (Point-of-Sales (POS) | | | | A failure to meet one's obligations that discloses |
| application developers) | | | | individual's credit card info in one of the 40+ States |
| Deadlines for Compliance: | | | | with privacy laws may experience double impact on |
| Oct. 1, 2008 - Only the software that is compliant with | | | | the side of the restaurateur. Being off-side with the |
| the new payment application security standards must | | | | Payment Card Industry can result in fines and litigation |
| be used by agents, merchants and payment | | | | costs. Being off-side with State Privacy Laws is a |
| processors. | | | | felony with possibly more serious consequences. |
| Oct. 1, 2009 - Terminate any noncompliant payment | | | | Compliance / Security Strategy |
| applications that merchants might still have in their | | | | * Ensure your restaurant or store uses only PA-DSS |
| environments will be required. | | | | or PABP validated POS systems |
| July 1, 2010 - Mandatory use of only the payment | | | | * Ensuring that you use approved PEDs |
| applications that complies with the new standards. | | | | * Have regular security awareness training for your |
| It Means – If, after the deadline, a merchant | | | | staff, especially for your supervisors |
| restaurateur is not running a PA DSS-validated | | | | * Have background checks on anyone that has |
| application, means that they automatically fail their PCI | | | | administrative access to your system |
| assessment and could possibly lose their ability to | | | | * Have your staff sign a ‘Confidentiality |
| accept credit cards. | | | | Agreement’ |
| * Pin Entry Devices (PED) Standard – embraces all | | | | * When it comes to your PCI Self Assessment |
| PEDs and is aimed at ensuring that the | | | | Questionnaire (SAQ), carefully and accurately |
| cardholder’s personal identification number or PIN, | | | | complete the form and when you're not sure with your |
| including any sensitive information such as resident | | | | answers, just ask |
| keys, are protected consistently at a PIN acceptance | | | | * If gaps in PCI compliance are identified, develop a |
| device. | | | | realistic plan to rectify them |
| Deadline for Compliance: | | | | * Maintain mature controls to sustain compliance |
| Jan. 1, 2004 - All newly purchased Point-of-Sale (POS) | | | | * Access controls |
| PIN Entry Devices must have passed testing by a | | | | * Dual factor for system and device management |
| Visa recognized laboratory and been approved by | | | | * Strong passwords and secure password storage |
| Visa. | | | | * Monitoring to detect attack and record evidence |
| July 1, 2010 - Mandates that all deployed Point of Sale | | | | * Controlling your wireless access points |
| (POS) PIN Entry Devices must have passed testing by | | | | * Maintain secure configuration |
| a PCI recognized laboratory and been approved by | | | | * Segment networks |
| the PCI SSC. | | | | * Have an Incident Response Plan and test it to make |
| This Means - All Merchants/restaurant owners will | | | | sure that it's always ready for action |
| have two years to replace older, un-approved PIN | | | | * Testing and auditing the cardholder environment |
| Entry Devices. | | | | This can be a discouraging task on your first try but |
| The Do's With Payment Card Industry (PCI) | | | | when everything else is in place, a PCI compliance is |
| * Make sure you have a routine vulnerability scanning | | | | not an expensive work. It is good business practice to |
| of your Point of Sale systems (POS). | | | | protect the sensitive information of your customers. |
| * Do security awareness training for all of your staff. | | | | |