Payment Card Industry Data Security Standard: A Briefing for the Restaurant Industry

What is it?
The Payment Card Industry Data Security Standards are requirements for handling credit and debit card information. The requirements are known as “PCI” because they were developed by the major payment card brands -- Visa, MasterCard, American Express and Discover. The formal standards cover 12 specific requirements; you can download the list of 12 requirements from the Payment Card Industry Security Standards Council Web site.

Who must comply with the PCI standards?
All U.S. merchants, including restaurants, are subject to PCI requirements if they accept credit or debit cards. Compliance is a condition of their acceptance of cards issued by the payment systems or financial institutions. The PCI standards apply to all merchants regardless of size. However, a merchant’s annual number of payment card transactions dictates how and when he or she must demonstrate compliance.

For example, merchants who have at least 6 million VISA or MasterCard transactions or 2.5 million annual American Express transactions must demonstrate compliance through a formal certification process specified by the card systems. Merchants with at least 1 million transactions also must undergo quarterly network scans by approved security consulting firms. The consultants test merchants’ vulnerability to unauthorized access to transaction information by hackers.

Merchants with fewer than 1 million VISA or MasterCard transactions a year are responsible for validating their own compliance in an annual self-certification. The payment card industry also requires that merchants with Internet-facing networks undergo quarterly vulnerability scanning.

How are PCI standards administered?
VISA and MasterCard administer the PCI standards through banks that contract with merchants for card transaction processing. The banks also are known as ”acquirers” or “merchant banks.” In some cases, banks contract with third-party companies to provide VISA and MasterCard transaction-processing services. In those cases, banks can work through the third-party entity to administer the PCI standards. American Express and Discover have direct contractual relationships with merchants and directly administer PCI standards.

The card systems ultimately determine how and when merchants must comply with the standards. Furthermore, the card systems’ operating rules allow them to assess damages for monitoring or replacing cards that were compromised in a security breach. The card companies can also assess damages for losses from fraud and penalties for PCI-standard violations. VISA and MasterCard assess the damages or penalties to merchants’ processing banks, and the banks usually attempt to pass the fines to merchants.

Merchants’ transaction-processing agreements with banks usually require merchants to comply with card-network operating rules. They can also require merchants to be financially responsible for damages and penalties assessed by card networks for PCI violations. In many cases, the fines and damages automatically are deducted from money owed to merchants for completed transactions.

Merchants also could face other fines. Some state legislatures are considering legislation that would require non-PCI compliant merchants to reimburse card-issuing banks for costs associated with re-issuing cards on compromised accounts in cases of security breaches. Minnesota has enacted such legislation.

Restaurants can be penalized for PCI violations caused by their good-faith reliance on vendors, as well as their own negligence.

How does the payment card industry determine violations?
A number of card networks and issuing banks have sophisticated software to monitor transactions, including cardholders’ fraud claims, as well as identify potential security violations. For example, if a software tool traced fraudulent transactions to several cardholders who visited your restaurant, you may be asked to undergo a security audit by an approved vendor -- at your expense.

The card system could hold you responsible for PCI violations, even though there is no direct evidence of how the card-data compromise occurred. In some cases, PCI violations are caused by outdated card-processing software or improperly installed data networks that link restaurants to company headquarters.

The affected card systems can try to hold restaurant operators liable even in cases where violations resulted from vendor negligence or inaction and even though the restaurant operator reasonably relied on the vendor(s) to install and maintain software and networks correctly.

Small and mid-sized restaurant operators increasingly report significant card network fines for claimed PCI data-security violations related to software without the latest updates.

Who’s at risk?
Data hackers increasingly focus on small and mid-sized merchants and restaurant operators, particularly those with Internet-accessible transaction-processing systems or terminals.

What restaurants can do to prevent PCI violations:
VISA and MasterCard provide “safe harbors” that might limit liability if a merchant was actually PCI compliant at the time of an alleged data compromise. However, a merchant’s good faith effort to be compliant alone may not limit liability through safe harbor in the event of any PCI violation.

Common violations
The most common violations can be avoided by restaurant operator and vendor diligence. Here are some of them:

• Cardholder data is improperly stored on point-of-sales systems (including payment card terminals)3 connected to the Internet or wireless networks. The main problem: Many merchants don’t realize their systems collect that information. The PCI standards prohibit merchants from storing magnetic-stripe and PIN data, even in encrypted form.
  
• POS systems use default passwords, instead of customized settings.
  
• Merchants’ networks are unsecured and exposed to the public Internet.

These violations often occur when equipment or software is improperly installed or when merchants rely on vendors that don’t follow the payment card systems’ “best industry practices.”

Restaurant operators should follow these security guidelines to achieve ongoing PCI compliance:

• Contact the experts:
  -- Levels 1 and 2 merchants: Contact your acquiring bank, American Express, Discover and your POS system vendors about the PCI certification process if you process at least one million card transactions a year.
  -- Level 4 merchants: Be aware of data security issues in your business. Discuss the subject with the company that installed and/or maintains your POS systems and data networks in your stores. Ask your merchant card processor for assistance.
  
• Ensure your POS software is validated as meeting best security practices by one or more of the card networks. Ask your systems integrator or your merchant bank/processor, or check VISA’s Web site to see if your system and software is listed as compliant.
  
• Ensure your POS system provider’s service contract requires its software to follow the card networks “payment application best practices” and to be PCI compliant.
  
• Ensure your POS system vendor contract requires the software and hardware to be regularly updated with new versions.
  
• Ensure your POS software is up-to-date with fixes and patches. If you use personal computers, install anti-virus tools on all systems and have a process to regularly install updates.
  
• If your POS system is connected to the Internet or uses a wireless network, ask your systems integrator if your POS system is protected from unauthorized external access.
  
• If your POS system or retail network is connected to the Internet, scan the network s quarterly to identify problems. Certified approved scanning vendors perform the scans remotely to check whether your system can be breached. The PCI Data Security Standards Council lists certified vendors on its Web site.
  
• Make sure passwords for systems have been personalized and changed from the defaults.
  
• Assign unique IDs and passwords to each user, and ensure old IDs and passwords no longer work.
  
• Ensure employees have access only to the systems they need to use to perform their duties. Prohibit employees from sharing system IDs or passwords.