How does your restaurant protect its guests’ credit card information? Do your customers feel that their personal information is safe?
If you have to think hard about it, chances are you aren’t taking the correct measures. The safety and security of your customers’ card information and data should always be top of mind.
Businesses that accept credit or debit card transactions need to be PCI compliant. This is to ensure the protection of your restaurant and customers.
What is PCI Compliance?
PCI or PCI-DSS stands for the Payment Card Industry Data Security Standard. It is a complex set of rules that restaurant owners must abide by. PCI compliance protects all businesses that process credit card information.
The PCI Security Standards Council is a global organization that created these requirements. These standards help businesses understand and put in place a framework of security policies to create secure payment solutions. They also help protect against data breaches and theft of cardholder data.
When companies have achieved compliance, they can prove a certain level of assurance. These standards provide businesses with guidelines that help protect cardholder data. Under PCI compliance, restaurant owners can safely process and send customer card data.
According to TCDI, these are the 12 PCI compliance requirements:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
These standards reduce the risk of getting sensitive financial information stolen. PCI compliance is industry standard and your restaurant must have it.
Why is it important?
From the moment a server accepts a card, swipes it, and gets it signed, the restaurant is responsible. Whether you operate an SMB or Enterprise business, you need to be PCI compliant. It gives customers confidence that their data is safe.
These regulations are to protect against data breaches. Your business is responsible for removing all data from the processing system and terminals. You should also avoid storing any unique or sensitive cardholder data. If you do store this kind of information, have the correct mechanisms in place to protect it.
It’s also good to note that this is not government regulation, yet. But there can be hefty fines if your business is not compliant. If your restaurant turns out to be out of compliance, it will cost you. Prepare to pay high fees from credit card processors, banks, and merchants.
So where do you start? The first step is to figure out what level your business falls into. It depends on the number of transactions your business does per year. There are four different levels:
- Level 1: over 6 million card transactions across all channels
- Level 2: 1 to 6 million card transactions across all channels
- Level 3: 20,000 to 1 million e-commerce transactions
- Level 4: less than 20,000 e-commerce transactions and up to 1 million card transactions
While all businesses need to be PCI compliant, validation differs based on level. If a business suffers from a data breach, it may be subjected to a higher compliance level.
Find the requirements for necessary validation in the PCI DSS Quick Reference Guide.
PCI Compliance vs. PCI Certification
The difference between compliance and certification is the involvement of an independent audit. This audit is can only be completed by a Qualified Security Assessor (QSA).
PCI compliance is the development and daily maintenance of cardholder data protection. To achieve PCI certification, the business must follow compliance and an audit from a QSA. The QSA then examines everywhere that cardholder data interfaces with. This includes all systems, storage, and networks.
The PCI certification audit is key to proving proper controls are being followed. Further to also see if a security policy is in place.
PCI certification varies based on your business level. Most restaurants are level 4 and can establish compliance on their own. They can operate under the Payment Card Industry Self Assessment Questionnaire (PCI SAQ). For this level, the organization that processes the payment will have PCI certification.
Having PCI certification shows your business is devoted to maintaining compliance standards.
How it applies to your restaurant: In-person & Online
Security matters when it comes to dealing with card transactions. By being PCI compliant, you’re protecting your restaurant as well as your customers.
It’s important to be aware of the places where cardholder data can be compromised. Broken card readers and insecure payment systems put your restaurant more at risk.
If your restaurant takes online orders, secure your e-commerce platform. Your customers’ card information while ordering online should still be safe.
Gaining your customer’s trust is important for restaurants. Part of great guest experience is being free of any financial risks.
Being compliant reduces your risk of fines and penalties associated with security breaches. Data breaches can cost your restaurant a lot of money and all its reputation. Get PCI compliant and make it known to your customers that security is important to you.
Make sure your restaurant has a PCI compliance plan and it’s always up-to-date. This will help keep costs down, avoid breaches, and maintain your customers’ loyalty.