What is PCI and why should you care?
The Payment Card Industry Security Standards Council (PCI SSC) facilitates the broad adoption of
the PCI security standards in an effort to enhance payment account data security. This council was organized and founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. Restaurant businesses are responsible for handling sensitive payment card data according to the PCI DSS standards. In the event of a data security breach, you could experience any or all of the following, depending on the circumstances and whether you have taken the necessary steps to comply with PCI:
- Heavy financial damages due to fines that range from $50,000 to $500,000.
- A loss of reputation and, therefore, a decline in the number of guests visiting your restaurant.
- A temporary or permanent loss of your ability to accept credit cards as a form of payment at your restaurant.
Failure to comply with the PCI DSS standards could be very costly, and possibly even result in the loss of your business.
How can you protect your business?
- Use a POS system that has been validated against the Payment Application Data Security Standards (PADSS), formerly supervised by Visa and known as Payment Application Best Practices (PABP). The PA DSS assists software vendors in developing payment applications that do not store sensitive cardholder data, thus ensuring their products are validated against the PCI DSS. Menusoft Systems, the developer of Digital Dining, is pleased to say that our current version is already listed as a vendor whose payment application has been validated. This list is available at www.pcisecuritystandards.org/security_standards/pa_dss.shtml and shows past versions of Digital Dining that are compliant as well. Make sure by going to the web link listed above and verifying that you are on the current version or a certified version.
- The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture and other critical protective measures other than software design (the part that Digital Dining gets audited and certified). This comprehensive standard is intended to help restaurants proactively protect customer account data.
The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
More information about PCI DSS is available at http://www.pcisecuritystandards.org/.
We strongly recommend that you:
- Obtain the PCI DSS Outline located here on our website and use it as a starting point for configuring your restaurant for maximum security.
- We also recommend you take advantage of the ever improving security features by upgrading to the latest version of Digital Dining available.
- Undergo an onsite data security assessment by a Qualified Security Assessor (QSA) or complete a Self Assessment available at: https://www.pcisecuritystandards.org/saq/index.shtml. Questionnaire (SAQ), to identify any vulnerability within your system. The PCI DSS requires merchants to do this on an annual basis, to assist you with PCI DSS compliance. There are four versions of this questionnaire, each version specific to a particular business scenario. The council provides instructions to guide you through selecting the SAQ that best applies to your organization, and frequently asked questions, to help you better understand the purpose of the council, and the PCI DSS. The SAQ, and all other materials.
- Undergo a network scan through a PCI DSS Approved Scanning Vendor (ASV). This is required on a quarterly basis, to ensure network security. More information is available at www.pcicomplianceguide.org/pcicompliance-vendors.html.