Login
Toll-Free: 888.400.9185
  Library   »   POS Software Articles
  Search

Restaurant POS Articles

 

Credit Card Security and PCI Compliance - Frequently Asked Questions


Jennifer Wiebe

Why is PCI compliance important?

Hackers are specifically targeting restaurant operators. In fact, a recent study by global payment security consultant Trustwave that showed that nine out 10 cardholder data compromise incidents were aimed at small merchants: 52% of them in foodservice. More than twice as many attacks targeted card-present transactions at the point of sale than online transactions. A breach can be devastating to a restaurant, leaving the operator or franchisor financially liable and forced to rebuild a damaged reputation.

Trying to understand the risk? These articles are a good place to start:

Restaurants and Credit Cards – A Dangerous Combination (RestaurantPartners.com)

Pasta, Meatballs and Credit Card Theft (ABC News)

The PCI standards have been established to help you safeguard your customers’ cardholder data – and protect your business.

What is PCI Compliance?

In order to address the threats to credit card information, the PCI Security Standards Council was formed in September, 2006. The PCI Security Standards Council has developed two primary standards that concern you:

PCI-DSS

The Payment Card Industry Data Security Standard outlines the requirements for all merchants that store, process, or transmit cardholder data.

If you process credit cards in your restaurants, you are responsible to comply with this standard

PA-DSS

The PA-DSS replaced the Visa Payment Application Best Practices, or PABP, on October 1, 2008.

The Payment Application Data Security Standard covers all software applications used to store, process, or transmit cardholder data as part of authorization or settlement.

As a POS vendor with integrated credit card solutions, SpeedLine is responsible for compliance with the PA-DSS. PA-DSS replaced the Visa Payment Application Best Practices (PABP) standard on October 1, 2008.

Do I need to use a PABP/PA-DSS compliant point of sale system?

Yes. Effective October 2008, banks and credit card processors may no longer board merchants that use software that cannot be validated as PA-DSS/PABP compliant. If your POS system is non-compliant, your bank or credit card processor may refuse to allow your business to accept credit cards.

So if I use SpeedLine, does it mean my restaurant is PCI compliant? 

Using PABP/PA-DSS validated point of sale software such as SpeedLine 6 is one of the most important steps. But protecting your customers’ credit card information involves more than just the POS you use. It is your responsibility as a merchant to ensure that your business meets all the requirements of the data security standard.

What if I choose not to comply?

Fully complying with the PCI-DSS standard takes time, effort, and a substantial financial investment, and some companies have opted not to make that investment. But the cost of a data breach could be substantially higher. Aside from the penalties and liability associated with a breach, the effect on your brand could be devastating: not surprisingly, sixty percent of consumers in a recent poll said that they would never return to a business where their credit card information was stolen. And as the industry tightens its enforcement of the standard, you may also lose the privilege of accepting credit cards at all.

What do I need to do at my restaurants to gain PCI compliance?

The PCI-DSS standard contains 12 steps to compliance. Find out more at: https://www.pcisecuritystandards.org or http://www.pcicomplianceguide.org/aboutpcicompliance.html.

You can also learn more from these articles:

PCI Primer for Restaurateurs

10 Common PCI Myths

With the release of SpeedLine 6, SpeedLine will also publish a PABP Implementation Guide. This guide outlines the steps required to install and maintain SpeedLine in a compliant manner. SpeedLine customers may download this guide from our secure SpeedLine InSite customer portal, or request a copy by emailing support@speedlinesolutions.com.

Also keep in mind that PCI compliance is an ongoing process. You can not be certified compliant indefinitely. Any change you make to your restaurant networks and POS configuration may affect your compliance. And, of course, the requirements of the PCI-DSS standard may also change in response to new technologies and new ways of hacking personal data.