|
What is PCI and why should you care?
The Payment Card Industry Security Standards Council (PCI
SSC) facilitates the broad adoption of the PCI security standards in
an effort to enhance payment account data security. This council was
organized and founded by American Express, Discover Financial
Services, JCB International, MasterCard Worldwide, and Visa, Inc.
Restaurant businesses are responsible for handling sensitive payment
card data according to the PCI DSS standards. In the event of a data security
breach, you could experience any or all of the following, depending on the circumstances and whether you have taken
the necessary steps to comply with PCI:
-
Heavy
financial damages due to fines that range from $50,000 to
$500,000.
-
A loss of reputation and, therefore, a decline in
the number of guests visiting your restaurant.
-
A temporary or
permanent loss of your ability to accept credit cards as a form of
payment at your restaurant.
Failure to comply with the PCI DSS standards could be very
costly, and possibly even result in the loss of your business.
How can you protect your business?
-
Use
a POS system that has been validated against the Payment
Application Data Security Standards (PADSS), formerly supervised
by Visa and known as Payment Application Best Practices (PABP).
The PA DSS assists software vendors in developing payment
applications that do not store sensitive cardholder data, thus
ensuring their products are validated against the PCI DSS.
Menusoft Systems, the developer of Digital Dining, is pleased to
say that our current version is already listed as a vendor whose
payment application has been validated. This list is available at
www.pcisecuritystandards.org/security_standards/pa_dss.shtml and shows
past versions of Digital Dining that are compliant as well. Make sure by going to
the web link listed
above and verifying that you are on the current version or a
certified version.
- The PCI DSS is a multifaceted security standard that
includes requirements for security management, policies,
procedures, network architecture and other critical protective
measures other than software design (the part that Digital Dining
gets audited and certified). This comprehensive standard is
intended to help restaurants proactively protect customer account
data.
The PCI Security Standards Council will enhance the PCI DSS
as needed to ensure that the standard includes any new or modified
requirements necessary to mitigate emerging payment security risks,
while continuing to foster wide-scale adoption.
The core of the PCI DSS is a group of principles and
accompanying requirements, around which the specific elements of the
DSS are organized:
Build and Maintain a Secure
Network
Requirement 1: Install and maintain a firewall
configuration to protect cardholder data
Requirement 2:
Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder
Data
Requirement 3: Protect stored cardholder
data.
Requirement 4: Encrypt transmission of cardholder
data across open, public networks.
Maintain a Vulnerability Management
Program
Requirement 5: Use and
regularly update anti-virus software.
Requirement 6:
Develop and maintain secure systems and applications.
Implement Strong Access Control
Measures
Requirement 7: Restrict access to cardholder data by
business need-to-know.
Requirement 8: Assign a unique ID
to each person with computer access.
Requirement 9:
Restrict physical access to cardholder data.
Regularly Monitor and Test
Networks
Requirement 10: Track and monitor all access to
network resources and cardholder data.
Requirement 11:
Regularly test security systems and processes.
Maintain an Information Security
Policy
Requirement 12:
Maintain a policy that addresses information security.
More information
about PCI DSS is available at http://www.pcisecuritystandards.org/.
We strongly
recommend that you:
- Obtain the PCI
DSS Outline located here on our website and use it as a
starting point for configuring your restaurant for maximum
security.
- We
also recommend you take advantage of the ever improving security
features by upgrading to the latest version of Digital Dining
available.
- Undergo an onsite data
security assessment by a Qualified Security Assessor (QSA) or
complete a Self Assessment available at: https://www.pcisecuritystandards.org/saq/index.shtml.
Questionnaire (SAQ), to identify any vulnerability within
your system. The PCI DSS requires merchants to do this on an
annual basis, to assist you with PCI DSS compliance. There are
four versions of this questionnaire, each version specific to a
particular business scenario. The council provides instructions to
guide you through selecting the SAQ that best applies to your
organization, and frequently asked questions, to help you better
understand the purpose of the council, and the PCI DSS. The SAQ,
and all other materials.
- Undergo a network scan
through a PCI DSS Approved Scanning Vendor (ASV). This is required
on a quarterly basis, to ensure network security. More information
is available at www.pcicomplianceguide.org/pcicompliance-vendors.html.
|
