The following is an excerpt from The Definitive Guide to Restaurant POS Systems.
Data is a powerful tool in the restaurant industry. It’s also often sensitive and classified. The storage and protection of credit card data has been scrutinized in recent events, with hacker attacks in both retail and foodservice establishments.
1. Does the point-of-sale system run on Windows XP?
On April 8, 2014, Microsoft stopped supporting the Windows XP operating system.
This means that any POS system that runs Windows XP no longer receives important security updates and is no longer PCI compliant.
Do not choose a POS system that runs on Windows XP. If you’re currently using an XP-based system, it’s time for a change.
You will be required to pay for an expensive software upgrade or be at serious risk for fraud and viruses.
2. How is POS data encrypted? When is credit card data stored in the system?
In order to prevent data breaches and fraud, your POS system should encrypt data the moment a credit card is swiped.
All sensitive data should also be encrypted when it is stored on your POS server, so it’s nearly impossible for someone to access your database and steal classified data. How does the POS system encrypt data?
Identify potential weak points by inquiring how and when credit card data is stored and encrypted in the system.
3. Who has access to the server and the data on it?
Your system should allow you to restrict access to sensitive data.
Anyone who is granted access to the data should be required to enter personal login information so you can track who is interacting with your data and hold the right people accountable if something goes wrong.
Usually, data access is limited to management.
Decide who should have access to data and lock down the system from everyone else (your POS provider should help you).
4. Who is responsible in the event of a data breach?
If PCI compliance is important to you, make a point of asking POS providers to prove that they are certified.
Every POS provider should have strict security measures in place to protect your establishment from fraud, viruses, and data breaches.
If legitimate security measures are in place, providers will likely agree to take full responsibility should any data be compromised.