PCI Compliance for Restaurants

PCI Compliance for Restaurants

A woman orders food in the touch screen terminal with electronic menu in fast food restaurant

Retail restaurants are one of the few brick and mortar businesses that continue to thrive in the digital age, but that doesn’t mean there aren’t hiccups. In fact, the more quick-serve restaurants (QSR) embrace cloud technologies in their kitchens and dining rooms, the more they open themselves to security failures. So, how can you protect yourself, your business, and your customers? The solution lies in your restaurants’ PCI Compliance.

No One is Immune from a Data Breach

You only need to read recent headlines to know that data breaches and computer hacks are very common. With 96% of all U.S. retailers using sensitive customer information on cloud-connected technologies, every store owner has this concern on their radar. Thanks to digital transformation, QSRs are a more attractive target than ever. In other words, your brand new point-of-sale (POS) system and even those self-serve kiosks that save you money are a huge liability if you don’t take the necessary precautions.

Good Credit Card Security for Customer Trust

62% of respondents in a recent survey of retailers reported some sort of security lapse in 2018. No matter who is to blame for a data breach, such incidents always leave a bad taste in the public’s mouth. Consequently, people will think twice before they swipe their credit cards at affected establishments again. As a result, many restaurant groups are looking for ways to shore up their PCI Compliance to maintain customer confidence.

What is PCI Compliance?

PCI DSS compliance, or commonly PCI compliance, stands for Payment Card Industry Data Security Standard. It is a security standard that applies to any business that processes, stores, or transmits credit cardholder information. This includes everything from Visa to Discover, and every credit card issuer in between. It is not required by federal law, but there are some state level laws that refer to PCI compliance.

There are 6 categories of the PCI Compliance Requirements and Standards that your restaurants are expected to meet so that you can remain compliant and protect your customers’ sensitive information.

1. Maintain a Secure Network with a Firewall & Network Switch

With many front and back-of-house restaurant devices now connected via WiFi, customer data can be easily accessed if you’re not careful. A firewall helps protect this data from leaving your network by monitoring and controlling your store’s incoming and outgoing internet traffic, based on predetermined security rules.  Firewalls establish a barrier between a trusted, secure internal network and untrusted networks (like the public internet), and protects card holder information from the outside world.

Physically wired computers and devices also need protection. However, they are often overlooked. It is important to isolate these physically connected devices so that non-secure systems do not affect your POS and customer data. Restricting devices with managed network switch as well as a Firewall will ensure your critical systems are protected.

Every business accepting credit cards must have adequate security to protect their system from unauthorized access and data breaches. A properly configured firewall, as well as a network that isolates critical POS terminals and other devices in your restaurants, will help to ensure your customers’ data doesn’t become exposed to other unauthorized users, guests, or passing strangers.

2. Protect Credit Cardholder Data

Due to their sensitive nature, credit and debit card data should be always be transmitted securely, either by encryption or through tokenization.

In some instances – like during Internet outages or POS systems failure – when you can’t process cards online, you may have to manually handle credit cards.  This means that secure card data is stored in an unencrypted state for a period of time.  Most likely, you do not need to keep this information on file after the Internet is restored and online processing is working again. Urgent and regular deletion of sensitive data is prudent to ensure the safety of your customers.

3. Protect Your Systems Against Viruses and Malware

Cash and order desk and kitchen equipment on back in fast food restaurant. POS systems need to be PCI compliant.

Malware is a major threat to any data stored on computers and servers. All restaurants are required to have up-to-date anti-virus and anti-malware software installed on their networks. These measures will typically catch and stop the latest viruses and malware before they hit your system. Additionally, you should ensure that the PCs connected to your in-house and secure POS network have updated security software.

4. Implement Strong Access Control Measures

Employee access to cardholder data and secure POS servers should be as limited as possible to prevent hackers from taking advantage of security gaps. If employees must access your secure environment, then a unique ID for each employee should be created. This ensures a proper audit trail. Likewise, automatic logouts and regular password changes will also help to make sure everyone’s unique ID isn’t passed around or misused.

Many restaurants use their POS server as a “Manager’s PC.” Store employees sometimes use this computer to browse the Internet and read email. If someone mistakenly downloads a virus or triggers some sort of malware, your secure POS network could be compromised. Therefore, this sort of activity is not recommended and should be avoided at all cost. Your POS devices should always be a on a fully isolated network with per user access controls.

5. Regularly Update, Monitor, and Test Your Systems

Your network or security provider should run regular tests to be sure your systems and network are properly protected and run secure.

Recurring penetration and network tests, as well as random on-site IT security tests, should be conducted to identify and resolve security issues.

6. Create an Information Security Policy

To maximize security efforts, your restaurant operations team will need to work with your credit card processor, IT department, and/or network security vendor to create an Information Security Policy. This is an internal document that explains how all of the systems can be used, specific security measures, and a risk analysis.

Also keep in mind that PCI compliance is not one size fits all. It comes down to your operation’s particular procedures, devices, and equipment. You can conduct a self-assessment, but larger groups should definitely get professional help to make sure all their restaurants are PCI compliant.

Consequences of PCI Non-Compliance for Restaurants

If your restaurant is not PCI compliant, your business could face fines between $5,000 and $100,000 per month by credit card companies. These penalties depend on the volume of clients, the volume of transactions, the level of PCI-DSS that the company should be on, and the time that it has been non-compliant.

If you do not take further steps to protect cardholder data, you run the risk of losing your merchant account. Consequently, you won’t be able to accept credit card payments at all. You could even wind up on the Terminated Merchant File, which means you’re on a blacklist from getting another merchant license for possibly a few years.

PCI Compliance Requirements Change as Your Restaurant Operations Grows

young man received his to go food order in fast food restaurant and looks at receipt

As your business grows, PCI compliance requirements will change and become more stringent. PCI Compliance levels range from 4 to 1 and are based on the number of transactions and credit cards scans for your entire business. Of course, this is a good problem to have… if you’re moving towards PCI Compliance Level 1, then you’re nearing the highest level of PCI compliance to cope with all of your sales! But data security may be the last thing you want to be worried about as your business grows.

PCI Compliance Doesn’t Need to Be Hard

At SymplyFi, our team implements security measures on your own private cloud network to support any level of PCI Compliance needed. With our secure 4G LTE backup Internet, your stores are always online and phones never go down. So you’ll never need to process credit cards offline or lose revenue due to network downtime. Plus, we monitor your network 24/7 and give you round-the-clock emergency support. If you like the sound of that, or if you’d like an audit of your store’s security, contact our team here for more information!

Richard JB Campbell

Richard JB Campbell, SymplyFi CEO, has worked in IT security solutions for over 25 years. A serial entrepreneur, he started his first company in 1997 building dial-up ISPs using Linux, custom servers, and Digiboards. Richard is currently focused on bringing an affordable and reliable enterprise-quality IT, telecomm, and network security solution to multi-location retail and restaurant operations.

Share This Article

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.