Payment Card Industry Data Security Standards Compliance — more concisely known as PCI Compliance or PCI DSS Compliance — can be a confusing set of rules to understand and implement for restaurant owners. However complicated PCI compliance may seem, it’s instrumental to the success and reliability of your business.
Chances are you’ve heard of PCI compliance, and while you might not know exactly what it entails or requires, that doesn’t mean you can’t learn. This article seeks to help restaurant owners and operators become comfortable with PCI compliance by covering the basics, and by outlining the considerations that should be taken into account to ensure your restaurant is fully compliant.
So what is PCI compliance?
In the early 2000s, Visa, Mastercard, Discover, American Express, and the Japan Credit Bureau started independently thinking about ways to help protect their cardholders. After realizing they were all trying to accomplish the same goal, the companies put their heads together in order to come up with a unified set of measures that would help protect cardholders from having their card and personal information stolen.
The result was version 1.0 of the PCI DSS Compliance rules, a set of rules and regulations that apply to every business that accepts credit or debit cards. Over time, the security standards have been updated, culminating in the most recent version, version 3.2.1, which was released in May 2018.
Despite changes and updates over the years, every version of PCI compliance sets the rules and regulations that businesses must follow in order to accept credit and debit cards, regardless of industry or location.
Does PCI compliance apply to my restaurant?
The short answer is yes. If you accept debit and credit cards in your restaurant (which you likely do), PCI compliance most definitely applies to you.
Depending on the number of transactions your business completes in a year, you’ll fall into one of the four following “levels” of compliance, according to Worldpay:
Level 1: over 6 million card transactions annually through all channels
Level 2: 1 to 6 million card transactions annually through all channels
Level 3: 20,000 to 1 million card transactions annually
Level 4: fewer than 20,000 card transactions annually
The PCI DSS lists out twelve requirements for compliance, consolidated into six groups that are referred to as “control objectives.” The twelve high-level requirements have actually remained exactly the same since the inception of PCI compliance back in the early 2000s. According to TCDI, the control objectives are as follows:
Build and maintain a secure network and systems
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
Now you might be thinking, “How do I follow these objectives and make sure my restaurant is compliant?” The good news is that there are many tools and resources out there to help you achieve PCI compliance.
How can I make my restaurant PCI compliant?
We first encourage restaurateurs to reach out to their credit card processors — often, processors offer their customers tools to become compliant. However, there’s a common misconception regarding PCI compliance and credit card processors. Credit card processors will advertise (truthfully) that their hardware and software solutions are PCI compliant. Even so, using a PCI compliant processor doesn’t mean that your restaurant is fully compliant. Your restaurant is ultimately responsible for maintaining a fully compliant environment, in addition to using a compliant processor.
If your processor doesn’t provide tools to become compliant, fear not. Level 4 merchants — the category your restaurant will almost certainly fall under — can establish compliance on their own through the use of a self-assessment questionnaire (SAQ). You should complete the following steps to establish compliance in your restaurant:
Determine which SAQ you should use. This guide will help you understand which one is right for your business.
Complete the SAQ according to its instructions.
Complete a vulnerability scan with a PCI Approved Scanning Vendor (ASV). An ASV is an organization with a set of security services and tools to conduct vulnerability scans that validate PCI compliance. A full list of ASVs can be found here.
Once completed, submit your SAQ to your acquiring bank. Your acquiring bank is the bank you use for your merchant bank account.
Once you’ve completed these steps, your restaurant is on the road to establishing PCI compliance.
Why is PCI compliance important for restaurants?
While food and ambiance are crucial ingredients to an amazing guest experience, security is another important factor for any business — your customers want to know that they’re safe in your establishment and don’t face any financial risk by dining with you.
Additionally, adhering to PCI compliance not only protects your customers, it also significantly reduces your risk of expensive penalties and fines that can result from a security breach. IBM estimates that a data breach, on average, costs a business a whopping $3.92M. For many businesses, data breaches can mean both financial and reputational ruin. The best way to prevent breaches is by closely following all PCI compliance requirements – it’s not just about protecting your customers, it’s about protecting yourself.
One last point: If your restaurant is found to be out of compliance, you can face steep fines from the card brands, merchant processor, and/or acquiring bank. Needless to say, compliance is important.
Here at Toast, PCI compliance is always top of mind. Below, you can find a series of helpful resources that’ll assist in making sure your restaurant is fully compliant. If you want to learn more about our PCI compliant integrated point of sale and credit card processing solutions, set up time with a restaurant technology expert at Toast.
List of helpful PCI compliance resources: