In 2019, four major restaurant chains—Krystal, Moe’s, McAlister’s Deli, and Schlotzky’s—were hacked. Four million of their customers’ credit and debit card information was being bought and sold in an underground cybercrime marketplace, according to an article published by KrebsOnSecurity.
It’s no wonder The Ascent claims that last year was the worst year in history for identity theft reports, marking an increase for the second year in a row. Data breaches play a huge role in this alarming trend.
As a restaurant owner, you’re probably familiar with restaurant PCI compliance — and if you find it confusing, you’re not alone. But it’s important that you understand the basics for the sake of your restaurant’s security and your customer’s safety — especially with the increase in digital transactions due to the pandemic.
What is PCI compliance?
Back in 2004, payment fraud was on the rise. To combat this growing problem, credit card industry leaders such as Mastercard, Discover, American Express, and Visa, along with the Japan Credit Bureau, brainstormed ways to help protect their cardholders against identity fraud. They introduced PCI DSS 1.0 in December of that year, which required all merchants that accept credit cards to comply with this new set of standards.
Otherwise known as Payment Card Industry Data Security Standards Compliance, or PCI Compliance, these standards have been updated over the years to conform to industry trends and emerging technology. PCI compliance protects all businesses that process credit card information and the customers that patronize them from data breaches and identity theft.
Why does PCI compliance matter for restaurants and bars?
You’re well aware that providing amazing food, an exceptional guest experience, great ambiance, and top-notch service is part of why customers keep coming back to your establishment. But if customers don’t feel safe using their debit or credit cards due to potential theft, then that tarnishes your hard-won reputation as a trusted and reliable restaurant of choice.
As a restaurant owner, you’re responsible for your customers’ debit and credit card information the moment it’s swiped into your system. PCI compliance ensures that this info is protected at all times. If your restaurant is not in compliance, it could result in high fees from banks, credit card companies, and other merchants. On average, a data breach can cost a business an estimated $3.92 million, according to IBM, which would hurt a large-chain restaurant significantly and force closure, undoubtedly, for owners of smaller chains or neighborhood restaurants and bars. The best thing you can do is to closely follow all restaurant PCI compliance guidelines.
PCI compliance requirements
There are 12 PCI compliance requirements you need to implement to ensure your restaurant is protected from credit and debit card theft. To stay compliant you should:
- Install and maintain a firewall configuration to protect cardholder data
- Protect stored cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Conduct vulnerability scans and penetrations tests
- Maintain a policy that addresses information security
Making your restaurant PCI compliant
The 12 steps above may seem daunting. To help with this process, reach out to your credit card processors, as they most likely have tools to help you become compliant. But be aware that while credit card processors claim their hardware and software tools are PCI compliant, this doesn’t mean your restaurant will be in the clear. It’s your responsibility to make sure you are maintaining a fully-compliant environment as well as using a compliant processor.
In the case your credit card processor doesn’t provide the tools you need to become PCI compliant, Level 4 merchants, which is what you most likely fall under, can establish compliance through a self-assessment questionnaire (SAQ). There are a number of different SAQs you can use, so use this guide to help you find the right one for your restaurant.
After you’ve found the correct SAQ version to use, complete it and then do these steps to establish restaurant PCI compliance:
- Complete a vulnerability scan with a PCI Approved Scanning Vendor (ASV), which is an organization with a set of security services and tools to conduct vulnerability scans that validate PCI compliance. Here is a list of approved ASVs.
- Submit your SAQ to the bank you use for your restaurant.
From there, you’ll simply wait to hear back if you’ve been certified PCI compliant, which can take a few weeks.
Keeping your restaurant PCI compliant is essential to the security of your paying customers and for the reputation of your establishment. If you’re not compliant, or you’re unsure if you’re meeting all of the criteria, do it as soon as you can. The livelihood of your business could depend on it.