Let’s suppose that you’ve just made the move to upgrade your software and hardware so they’re enabled for EMV.
You know that you’ve greatly reduced the possibility of fraud-related liability and large ticket chargebacks in your restaurant.
After all, ever since the EMV liability shift in 2015, card-present fraud losses have continued to decrease by thousands of dollars.
Maybe you’re thinking that you’re in the clear now when it comes to fraud and data breaches. Isn’t EMV all you need to worry about?
Errrr … not quite.
There’s one essential point you can’t overlook.
One that can still affect your business – especially when data breaches and card-not-present fraud losses are steadily increasing.
What is it?
Here’s the bad news: EMV is only a piece of the puzzle when it comes to protecting your restaurant and your customers’ data from fraud and data breaches.
But here’s the good news: PCI compliance isn’t as complicated as it sounds.
Although reaching full PCI compliance as a small restauranteur can be a complex business, there are a few key things you can do to ensure your restaurant systems and data are more secure.
PCI Compliance: A Quick Explanation
Before we jump to 10 smart tactics to make your restaurant more PCI compliant, let’s quickly review what PCI compliance is and what it means for you.
What is PCI?
PCI – or Payment Card Industry – defines a set of standards that protect credit card data that are administered by the PCI Security Standards Council.
Source: PCI Security Standards Council
What are the PCI Security Standards?
There are six different PCI Security Standards which include:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regular Monitor and Test Networks
These standards provide guidelines on things like: how to properly store and transmit cardholder data, the most secure methods for chip and card personalization, and anti-virus best practices.
What are these standards designed for?
In summary, PCI Security Standards are designed to prevent potential fraud in what they call the “card-processing ecosystem.”
Some of the most vulnerable entities in this system are found right in your restaurant: point-of-sale devices, mobile devices, services, wireless hotspots, and more.
Why is PCI important?
To put it bluntly, without certain security measures in place (in addition to EMV-enabled technology), your restaurant could potentially become prey to fraudsters and hackers.
That’s why it’s important to take steps to be more PCI compliant: Implementing these measures can ensure your restaurant is more secure.
10 Smart Tactics to Make Your Restaurant More PCI Compliant
There are several things you can do to make your more restaurant PCI compliant – some of which you may actually be doing already.
You’ll find that using these tactics to make your restaurant more PCI compliant is not as daunting as it might sound at first and that many (if not all) of them are fairly easy to do.
1) Use a firewall configuration.
Firewall systems are designed to keep unauthorized users from accessing any data in your network. What’s great is that installing a firewall software system isn’t that hard. Both Mac and Windows operations systems come with prebuilt firewalls, and you can also purchase third-party fire software from companies like Norton and McAfee.
2) Use anti-virus software or programs – and make sure they’re continually updated.
Anti-virus software programs are another measure you can use to protect your systems against malware and other viruses.
Note: It’s important to continually update them, though. If your anti-virus software system isn’t updated, it’ll be more vulnerable to newer malware and viruses
3) Don’t rely on default system passwords from any outside systems you use.
If you install any new hardware or software (especially any that is directly involved in credit card transactions), don’t use the default system passwords that come with them. Most hackers know what these passwords are, so if you don’t change them, they’ll be able to easily hack into your system.
4) Make sure that the only members of your staff that have access to cardholder data are the ones that need to know this information.
Though you might like to think that all of your employees are trustworthy, the truth, unfortunately, is that you never really know. Plus, the fewer people that have access to critical information, the less likely that this information will be shared or stolen.
Keeping sensitive credit card data limited to specific members of your team (you, your general manager, your IT manager, etc.) will provide a further security measure for your restaurant.
5) Never store sensitive cardholder data in your hardware, software, or elsewhere.
If you were to store this information anywhere – even, say, having a credit card number written on a piece of paper that’s lying around – you would open up the possibility of fraud.
By avoiding storing any sensitive data, you can prevent the likelihood of this information being shared.
6) Have a password-protected, encrypted wireless router.
A wireless router is one of the main kinds of network security controls you can use to have a safer network in addition to a firewall system. Essentially, a wireless router sends data to a device (or devices) from an internet cable. It also serves as a wireless access point and shares data via radio signals.
Making sure that your wireless router is both password-protected and encrypted will prevent outsiders from accessing the data that is being shared across your network.
7) Ensure your POS system and other system passwords are strong and updated every 90 days.
Have you ever been prompted to make a new password and had to meet specific parameters like including a number, at least one capital letter, and at least one symbol like # or %?
What might seem simple can make a password much stronger – and thus, harder for a hacker to guess. That’s why the first step with your POS system and other systems is to implement strong passwords.
Also, update your passwords every 90 days. That way, they’re fresh, ever-changing, and less vulnerable to hackers.
8) Only use approved PIN Transaction Security (PTS) devices.
Approved PTS devices are devices that have been certified by the PCI Security Standards Council and therefore are ones that you know are PCI compliant from the get-go.
Generally, most PTS devices are payment terminals. You can see the whole list of approved PTS devices on the PCI website here.
9) Stick with a Validated Payment Application to process credit card payments.
The PCI Security Standards Council also keeps an updated list of approved Validated Payment Applications – or payment processors – which meet their standards for PCI compliance. (Check out all of the approved Validated Payment Applications here.)
Midwest POS is proud to work with two Validated Payment Security applications: First Data Merchant Services and Worldpay.
10) Use an (updated) POS software that you know will help you be PCI compliant.
In addition to hardware and payment processors, it’s equally as important to use a POS software that is guaranteed to help you be PCI compliant and protect your customers’ credit card data.
If you’re looking at new software solutions, evaluate whether or not the systems have PCI compliance controls built in. (NCR Aloha, we should note, does have these built right in!)
If you already have a POS software system in place, keep it updated. Many POS software systems now are made to be safe, but only if they’re continually updated.
PCI Security Standards are industry best practices you can follow to prevent potential data breaches or credit card fraud.
Paired with EMV-enabled technology, if you implement some of the tactics listed above, you can help protect your customers’ sensitive credit card data against a very real (and growing) threat and make your restaurant more PCI compliant.
Note: Midwest is PCI QIR Certified!
Midwest POS Solutions is a PCI QIR Certified Company! The QIR Program outlines guiding principles and procedures for the secure installation and maintenance of validated payment applications in a merchant environment, in a manner that supports their PCI DSS compliance efforts. QIR certification assures that your systems are being installed properly competent and qualified technicians.