How to Become PCI Compliant for a Restaurant
PCI stands for payment card industry. PCI sets security standards in restaurants and other businesses concerning the processing of credit or debit card information. QSR Magazine reports that while PCI compliance can be a difficult measure to implement at first, it saves restaurant owners from dealing with legal action resulting from compromised credit cards.
Other People Are Reading
Instructions
-
-
1
Implement a secure network. This first step in PCI compliance requires all equipment that handles credit card transactions to be secure. The first requirement is the installation of a firewall to protect sensitive data. Passwords for all systems must be changed from vendor defaults.
-
2
Protecting the data from cards, such as card numbers, CVV2 codes and names is the next requirement of PCI compliance. You cannot store CVV, CVV2, and magnetic strip codes and you must ensure that cardholder data is rendered unreadable, no matter where it is stored. Any cardholder data that is sent across an open network must be encrypted. PCI recommends the AES-256 encryption method, which is used by the federal government.
-
-
3
Add anti-virus programs to systems that are used to process cardholder data, and maintain these programs. Internally developed programs may be used as long as they are tested before widespread deployment.
QSR reports that hackers are especially targeting restaurants for malware attacks. A company called Secure Connect can help your restaurant maintain your anti-virus software, as most restaurants don't have their own technical departments to manage maintenance and monitoring issues.
-
4
Restricting card holder data reduces security breaches from internal sources. A recommended system feature is the ability to "deny all" which stops unauthorized employees from looking at cardholder data. This requirement puts credit card information on a need-to-know basis. Each person that does get access to credit card information needs his own user ID.
Restaurants are at a particular risk of a data breach because of the number of individuals that are handling cards and the card systems. In addition to management staff, the wait staff and other front-of-house employees are handling credit and debit cards on a daily basis. It is important to ensure that access to the data is strictly controlled.
-
5
Monitor and test the network for security holes. Track user data and monitor logs to ensure that no unauthorized access has occurred. Test all security measures such as anti-virus and firewalls. Restaurants that have 10,000 or more annual transactions are required to test four times a year, and most restaurants need to be tested by an approved scanning vendor (ASV). ASVs are third-party companies that test the restaurant's network.
-
6
Write a compliance report and submit it to a qualified security assessor (QSA). If all measures are correct, the QSA will submit it to PCI for consideration.
-
1
