- How common is credit card data theft?
- What happens when there is a credit card breach?
- What is PCI Compliance?
- What do merchants have to do to demonstrate PCI compliance?
- What if I choose not to comply with PCI standards?
- What are the penalties for contravening the PCI standards?
- Do I need to use a PA-DSS compliant point of sale system?
- How do I know if my POS is PA-DSS-validated?
- What is SpeedLine’s approach to PCI compliance?
- So if I use SpeedLine, does it mean my restaurant is PCI compliant?
- Is SpeedLine Solutions, Inc. required to take steps to ensure that its customers are PCI DSS compliant?
- How do I find out about security updates available for SpeedLine software?
- Where can I get help with assessing my level of PCI DSS compliance and fixing any gaps?
Q1. How common is credit card data theft?
Did you know that more cases of credit card fraud occur in restaurants than anywhere else?
According to payment card industry statistics, it is safer to use a credit card on the Internet than at a restaurant or bar. Skimming, tip fraud, and hacking are real dangers for restaurant operators.
A recent study by global payment card security consultant Trustwave showed that nine out 10 cardholder data compromise incidents were aimed at small merchants—52% of them in food service. More than twice as many attacks targeted card-present transactions at the point of sale than online transactions.
The National Restaurant Association states that, typically, restaurants that run the highest risk of a breach use unsecured Internet-accessible networks, like DSL, cable modem, or wireless technology. They also use non-compliant POS software that stores credit card data improperly.
Q2. What happens when there is a credit card breach?
In a recent PCI brochure, the National Restaurant Association outlined a typical breach scenario:
- The fraud department of the credit card company that suspects a breach will contact the restaurant owner to discuss the irregular credit card transactions.
- The store will be submitted to an internal credit card security audit, which cost from $8,000 to $15,000. The restaurant owner has to select a pre-approved forensic audit firm from a list provided.
- With little or no notice, the restaurant’s card processing company may begin withholding funds to pay for the projected fines and penalties.
- After the forensic audit is completed, the owner, auditor, and credit card company representative(s) will hold a conference call to review the findings and outline what steps the restaurant must take to remedy the credit card breach. Failure to comply with remediation steps results in additional fines and the loss of credit card processing privileges.
- The restaurant must pay all fines, penalties, and assessments that arose as a result of the breach.
Q3. What is PCI Compliance?
In order to address the threats to credit card information, the PCI Security Standards Council was formed in September, 2006. The PCI Security Standards Council has developed two primary standards that concern you:
The Payment Card Industry Data Security Standard (PCI DSS) outlines the requirements for all merchants that store, process, or transmit cardholder data. If you process credit cards in your restaurants, you are responsible to comply with this standard.
The Payment Application Data Security Standard (PA-DSS) assists software vendors in creating secure payment applications. It covers covers all software applications used to store, process, or transmit cardholder data as part of authorization or settlement. Secure applications help Merchants mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI Data Security Standard (PCI-DSS). As a POS vendor with integrated credit card processing solutions, SpeedLine is responsible to comply with this standard.
SpeedLine first validated its software in 2008 against the standard in effect at that time, the Visa Payment Application Best Practices (PABP) standard.
On October 1, 2008, the PCI Council introduced PA-DSS, a new standard built on PABP concepts. SpeedLine first received PA-DSS validation on Sep. 15, 2009, and has continued to certify new software releases against the current standard as required.
Q4. What do merchants have to do to demonstrate PCI compliance?
As a credit card-processing merchant, you are required to complete an annual self-assessment questionnaire and quarterly network security scans through a PCI-approved scan vendor to demonstrate compliance.
Keys to PCI compliance include the proper network security, careful handling of customer cardholder data, and the use of only PA-DSS-validated POS and payment processing systems.
The PCI-DSS standard contains 12 steps to compliance.
For the details, find out more at: https://www.pcisecuritystandards.org or http://www.pcicomplianceguide.org/aboutpcicompliance.html.
Q5. What if I choose not to comply with PCI standards?
Aside from the penalties and liability associated with a credit card breach, the effect on your brand could be devastating:
Not surprisingly, sixty percent of consumers in a recent poll said that they would never return to a business where their credit card information was stolen. And as the payment card industry continues to tighten its enforcement of the standard, you may also lose the privilege of accepting credit cards at all.
Q6. What are the penalties for contravening the PCI standards?
Card data theft is costly. If your restaurant location is determined to be a common point of purchase for stolen card data, the card associations order a forensic audit. This can cost you in the neighborhood of $15,000. Then, depending on the number of cards affected, and whether you have taken the necessary steps toward PCI compliance, the card association(s) assess fines that can range from $50,000 and up.
Moreover, 44 states to date have enacted privacy laws that require you to report any suspected breach to the FBI and personally notify every potentially affected cardholder. The cost of notification averages $30 to $50 per customer.
In addition, following a breach, your restaurant is automatically re-classified as a Level 1 Merchant, subjecting you to the same rigorous audit requirements (and costs) as the largest retail companies in the country. Expect to pay $25,000 to $35,000 per year for a mandatory on-site audit.
The Ponemon Institute, a research firm dedicated to privacy, data protection and information security, estimates that a breach costs between $90 and $305 per record. Many factors enter into such an estimate: in addition to the direct costs incurred in legal fees, security audits, fines, and penalties, there are also less tangible losses, such as brand damage, lost customers, and time spent dealing with the credit card breach.
A feature article on RestaurantPartner.com, “Restaurants and Credit Cards – A Dangerous Combination,” related this example from a single Atlanta Bread Co. restaurant in Kansas City:
“When a hacker compromised their credit card processing system it tallied up a bill of over $25,000 and counting. They were threatened with fines up to $1 million and had $16,000 pulled from their bank account without notice. This prohibited them from buying food for a period of time and then had to spend $7000 upgrading their POS system. Luckily, they were able to weather the storm and stay afloat. Unfortunately, many restaurants maintain a very tight cash flow and such a blow could easily put them out of business.”
Q7. Do I need to use a PA-DSS compliant point of sale system?
If you accept credit cards and payments are processed through the POS, the answer is yes.
As of July 2010, merchants (including restaurant operators) are required to use only PCI PA-DSS validated point of sale and payment applications.
Financial institutions enforce the requirement for an annual PCI security self-assessment and quarterly network scans, and can levy fines for non-compliance. If your POS system is non-compliant, you will automatically fail your PCI assessment, and could lose the ability to accept credit cards.
Q8. How do I know if my POS is PA-DSS-validated?
You can find the list of PA-DSS validated point of sale providers here:
Q9. What is SpeedLine’s approach to PCI compliance?
A credit card data breach can be devastating to a restaurant, leaving the operator or franchisor financially liable and forced to rebuild a damaged reputation. That’s why we made the decision to submit the entire SpeedLine product to a rigorous credit card security audit.
And this is critical:
Some POS companies have chosen not to make the sizable investment required to earn PA-DSS validation. Others have taken a short-term approach, submitting only the payment processing components of their software for validation.
At SpeedLine, we chose instead to give our customers the assurance of PCI compliance by validating the entire SpeedLine POS product line. This involved an intensive third-party audit of all of our products, peripheral applications, and all company processes relating to product development, training, and data security.
The SpeedLine software has been secured and verified top to bottom. Safeguards are in place at multiple levels to prevent unauthorized access to confidential credit card data, and training and documentation is available to help you install SpeedLine securely as a key component of a PCI-compliant restaurant operation.
SpeedLine has also published a PA-DSS Implementation Guide that outlines the steps required to install and maintain SpeedLine in a compliant manner. SpeedLine customers may download this guide from our secure Customer Support portal, or request a copy by emailing firstname.lastname@example.org.
Q10. So if I use SpeedLine, does it mean my restaurant is PCI compliant?
Using PA-DSS validated point of sale software such as SpeedLine is one of the most important steps. But protecting your customers’ credit card information involves more than just the POS you use. It is your responsibility as a merchant to ensure that your business meets all the requirements of the data security standard.
Q11. Is SpeedLine Solutions, Inc. required to take steps to ensure that its customers are PCI DSS compliant?
No, it it the sole responsibility of merchants to ensure they are PCI DSS compliant. However, SpeedLine issues a PA-DSS Implementation Guide with each version of its software to explain the basics of the PCI program, and to help customers use SpeedLine POS software in a PCI DSS compliant manner.
SpeedLine also provides educational materials to its direct customers to inform them of the importance of PCI DSS compliance, and regularly posts communications advising customers of software upgrades required to maintain PCI compliance.
Q12. How do I find out about security updates available for SpeedLine software?
SpeedLine regularly posts support advisories advising customers of software upgrades required to maintain PCI compliance.
Q13. Where can I get help with assessing my level of PCI DSS compliance and fixing any gaps?
The PCI DSS self-assessment questionnaires can help you determine if your business meets PCI DSS standards.
To help you navigate the technical aspects of PCI DSS compliance, you may also want to enlist the services of a Qualified Security Assessor (QSA). A QSA is a data security firm that has been trained and is certified by the PCI Security Standards Council to perform on-site security assessments for verification of compliance with PCI DSS. The QSA will:
- Verify all technical information given by merchant or service provider
- Use independent judgment to confirm the standard has been met
- Provide support and guidance during the compliance process
- Be onsite for the validation of the assessment or duration as required
- Review the work product that supports the PCI DSS Requirements and Security Assessment Procedures
- Ensure adherence to the PCI DSS Security Assessment Procedures
- Validate the scope of the assessment
- Select systems and system components where sampling is employed
- Evaluate compensating controls
- Produce the final report
The PCI DSS self assessment questionnaire and a list of Qualified Security Assessors can be found on the PCI website: https://www.pcisecuritystandards.org.