What is PCI Compliance?
Almost every restaurant owner has heard of it, but it remains a source of confusion at small businesses that take credit cards.
Many restaurateurs wonder:
- What is PCI compliance?
- What do I have to do?
- Is it expensive?
The good news is that PCI compliance doesn’t have to be confusing. Let’s look at how to become PCI compliant in your restaurant.
PCI Compliance Overview
“PCI Compliance” refers to a set of rules for taking credit cards securely to minimize risks of data breaches or other security problems. Every business that takes credit cards must comply with PCI requirements.
It doesn’t matter how small the business is, or if it only takes a few cards a month. If you accept any credit cards, it applies to you.
There are six “categories” of PCI compliance requirements, which are:
- Maintaining a secure network
- Protecting cardholder data
- Protecting your systems against malware
- Putting strong access control measures in place
- Monitoring and testing your networks
- Creating an Information Security Policy.
To achieve compliance, you’ll need to implement procedures like installing firewalls, using secure equipment, and more. You’ll also need to complete a “self-assessment questionnaire” (SAQ) each year. Jump down to PCI Requirements in Detail for more information on steps involved in compliance.
Challenges for Restaurants
One of the pieces of PCI compliance is limiting employee access to data. Since many servers run cards, restaurants often have multiple machines and multiple staff members with access to physical credit cards. However, you can help ensure that you’re abiding by requirements through the use of unique employee IDs and properly encrypted systems.
If you’re already using an older POS system or credit card terminal and you’re not sure if it offers encryption, you can contact your processor to find out more.
Checklist for Compliance
In order to become compliant, follow these steps:
- Familiarize yourself with the PCI requirements in each “category” of compliance.
- Work with your processor or IT team to implement policies to satisfy requirements.
- Complete the self-assessment questionnaire each year.
- Validate compliance, if applicable.
- Stay in contact with your processor to determine if there are additional steps.
PCI Requirements in Detail
It’s important to note that the steps your specific restaurant will need to take may vary depending on your processor’s requirements and your particular equipment setup. The information below provides a start point for compliance.
As mentioned earlier, there are six “categories” of compliance.
1. Secure Network
Building and maintaining a secure network means that you’ll need to install firewalls and change all passwords from factory/manufacturer defaults to more secure options.
2. Protect Cardholder Data
Protecting your customers’ data means that you either don’t store card details or only store them securely. Most restaurants won’t need to store card details. You’ll also need to take measures to ensure that card data is transmitted securely, through the use of tokenization or encryption.
3. Protect Against Malware
You’ll need to use anti-virus software, and – just as importantly – ensure that it’s up to date. Out-of-date anti-virus software won’t catch newer viruses and malware that can cause problems.
4. Access Control Measures
To comply with the access control measures section, you’ll need to have policies in place limiting employee access to data.
Employees should only have access to functions and information needed to complete their jobs. In the restaurant business, many different employees may have access to credit cards in the course of their day, and it may not be practical to require only a manager or other employee run all cards. You’re not required to do that for PCI compliance, but you should create unique IDs for each employee that has access to your POS system or other technology that handles cards. You may also need to implement automatic log-outs after a certain period of inactivity, and require regular password changes.
5. Monitor and Test Networks
Your systems and networks should be tested regularly to ensure that everything is functioning properly, and that data is stored correctly. Work with your processor or hosting provider to ensure monitoring and testing is conducted.
6. Information Security Policy
Lastly, you’ll need to create an Information Security Policy, which lays out how company systems can be used, details security procedures, and includes information on risk analysis. You can work with your processor or IT department to determine the specifics of your own security policy.
Remember, while these guidelines apply broadly to all businesses that accept credit cards, your restaurant may need to implement particular procedures or equipment in order to achieve compliance. Check with your processor if you have questions.
Validating compliance is a process of “proving” that your business meets PCI standards. As of January 31, 2017, Visa requires that all businesses, regardless of size, validate compliance unless they qualify for an exemption. Previously, only the largest businesses were required to validate compliance, although many processors required it of all businesses for simplicity’s sake. Your processor can advise if you need to validate compliance.
Visa’s validation exemption program allows you to opt out of validation if you qualify. Note that you’re still required to maintain compliance – you just won’t have to “prove” it. Visa may grant exemptions to restaurants that don’t store card details after authorization and use qualified equipment for at least 75% of their transactions. Qualified equipment includes either machines that support both EMV and NFC (contactless) payments like Apple Pay or a validated point-to-point encryption (P2PE) solution.
The PCI Security Standards Council offers a list of P2PE solutions – only solutions from the list will qualify for the Visa validation exemption.
To qualify for the exemption, you can contact your processing company to check eligibility on your behalf, or you can submit an application to Visa on your own.
What Does it Cost?
PCI compliance costs vary. There may be fees involved from your processor, as well as equipment costs or staff costs for implementation. As I noted in a previous article on how to “86” unnecessary credit card processing fees, processors may charge in different ways for PCI compliance.
Some processors apply a PCI compliance fee to help defray the costs of assisting you with PCI compliance. If your processor charges you that fee, take them up on their assistance. They’ll be able to help you achieve compliance and complete the questionnaire.
Many processors charge a PCI non-compliance fee, which only applies in months that you’re not compliant with PCI requirements. It’s an avoidable fee, since you won’t be charged if you’re compliant. Compliance is a win-win: your business will be more secure, and your processor won’t charge you an unnecessary PCI non-compliance fee.
Aside from the charges levied by your processor, you may incur costs if you hire outside experts, IT consultants, or other personnel to implement required processes. Be sure to get a full breakdown of costs you can expect if you’re bringing in people to help with PCI.
What is PCI Compliance for Your Restaurant?
The bottom line is that PCI compliance is required and it’s in your restaurant’s best interest to become (and stay) PCI Compliant. Familiarizing yourself with the policies and properly training staff can save you time and headaches while protecting your business and your customers from costly data breaches.