| From the day magnetic strip cards was introduced to | | | | employees. |
| people, both restaurant owners and their customers | | | | 6. Install software patches. |
| have been enjoying the convenience of accepting and | | | | 7. Be serious when it comes to any threats, device an |
| using credit and debit cards. However, given the sky | | | | incident response plan. |
| high cost and frequency of credit fraud, well | | | | PCI Don’ts |
| established card brands (Visa, MasterCard, American | | | | |
| Express, Discover and JCB) have taken preventive | | | | 1. Whole credit card numbers should not be stored or |
| measures to safeguard their stakeholders. | | | | archived. |
| It was in 1968 when IBM created the magnetic stripe | | | | 2. Transmitting credit card information unencrypted |
| on credit cards and became the industry standard. | | | | should not be practiced. |
| Given that the track data on the mag stripe can easily | | | | 3. With PCI, it's not just about making you compliant |
| be read and duplicated, the branded cards, the | | | | with the standards – it's all about making you and |
| Payment Card Industry (PCI) Security Standards | | | | your customers protected. |
| Council built a set of standards protect cardholder | | | | PCI's Effect on Restaurateurs |
| data, and it begins with the directive: ‘Don’t | | | | Given consumers’ expectation of universal |
| store track data.’ | | | | acceptance of using credit cards, merchants' |
| PCI Standards | | | | restaurateurs’ validation that they are providing |
| The PCI Security Standards Council had a | | | | protection to their customers' personal data is helpful |
| three-pronged approach to protecting consumers, | | | | for business: |
| banks and merchants/restaurateurs: * PCI DSS | | | | Business Reputation / Image |
| (Payment Card Industry Data Security Standard) ? | | | | For a highly competitive business – a restaurant |
| includes all entities that store, process, or transmit | | | | owner does not want to be named in the media as |
| cardholder data: Merchants, restaurateurs, service | | | | the place were card data was stolen. |
| providers, processors, etc. | | | | Protects Ability to Accept Credit / Debit Card |
| Compliance Deadline: Month of January 2007 | | | | Payments - by not complying and/or a breach can |
| (deadlines are long passed) | | | | jeopardize a merchants'/restaurateur’s ability to |
| What it Means – Restaurant owners, regardless of | | | | accept credit/debit payments. There are cases that |
| their establishments' size, must complete and submit a | | | | 80% to 90% of transactions are through credit/debit |
| PCI Self-Assessment Questionnaire to their Acquiring | | | | payments. Losing your store's ability to accept credit |
| Bank every year. | | | | debit cards can cause reduced customers = reduced |
| * PA?DSS (Payment Application Data Security | | | | sales. |
| Standard) ? embraces all applications used to store, | | | | Impact of State Privacy Laws |
| process, or transmit cardholder data as part of | | | | A failure to meet one's obligations that discloses |
| authorization or settlement. (Point-of-Sale (POS) | | | | personal credit card information with any of the 40+ |
| application developers) | | | | States with privacy laws may have a double impact |
| Deadlines for Compliance: | | | | on a restaurateur. Being off-side with PCI might result |
| Oct. 1, 2008 ? Payment processors, agents and | | | | in fines and lawsuit costs. Being off-side with State |
| merchants must use software that is compliant with | | | | Privacy Laws is a crime punishable by confinement |
| the new payment application security standards. | | | | with potentially more serious penalties. |
| Oct. 1, 2009 ? Terminate any noncompliant payment | | | | Compliance / Security Strategy |
| applications that merchants might still be using in their | | | | - By making sure your restaurant or store uses |
| environments will be required. | | | | PA?DSS or PABP validated POS systems |
| July 1, 2010 ? Mandates the use of only those payment | | | | - Ensure you are using an approved PED |
| applications that support the new standards. | | | | - Arrange for regular security awareness training for |
| What this Means – After these deadlines, | | | | your employees, especially for supervisors |
| merchants/restaurateurs that are still using a non-PA | | | | - Do background checks on any employee with |
| DSS-validated application, they automatically fail the | | | | administrative access to your system |
| PCI assessment and could lose their ability to accept | | | | - Have your staff sign a ‘Confidentiality |
| credit cards. | | | | Agreement’ |
| * Pin Entry Devices (PED) Standard – includes all | | | | - When it comes to your PCI Self Assessment |
| PEDs and is aimed at ensuring that the | | | | Questionnaire (SAQ), carefully and accurately |
| cardholder’s PIN, and any sensitive information are | | | | complete the form and when you're not sure with your |
| protected consistently at a PIN acceptance device, like | | | | answers, just ask |
| your resident keys. | | | | - If gaps in PCI compliance are identified, develop a |
| Deadline for Compliance: | | | | realistic plan to remediate them |
| Jan. 1, 2004 ? To all newly purchased Point-of-Sale | | | | - Be matured in sustaining compliance |
| (POS) PIN Entry Devices should pass testing by a | | | | - Access controls |
| Visa recognized laboratory and approved by Visa. | | | | - Dual factor for system and device management |
| July 1, 2010 ? Mandates that each Point of Sale (POS) | | | | - Proper storing of your strong passwords and secure |
| PEDs must have passed the testing of a PCI | | | | passwords |
| recognized laboratory and been approved by the PCI | | | | - Regularly monitor system activities for possible |
| SSC. | | | | attacks and record evidences |
| What this Means ? All Merchants/restaurant owners | | | | - Controlling your wireless access points |
| gets two years to replace their old and unapproved | | | | - Maintain secure configuration |
| PIN Entry Devices. | | | | - Segment networks |
| PCI Do's | | | | - Have an Incident Response Plan and test it to make |
| | | | sure that it's always ready when needed |
| 1. Do routine vulnerability scans of your systems. | | | | - Test and audit the cardholder environment carefully |
| 2. Do security awareness training for all of your staff. | | | | It may be difficult task the first time but when all the |
| 3. Audits for system access. | | | | above are in place, a PCI compliance is not an |
| 4. System activity logs should be monitored. | | | | expensive undertaking. It is good business practice to |
| 5. Access privileges must be removed for separated | | | | protect the sensitive information of your customers. |