Is Your Restaurant PCI Compliant?

In this day and age, small businesses of all kinds should expand past only accepting cash transactions, if they haven’t already. Companies who don’t accept credit cards miss out on a massive customer base who prioritize credit or debit cards. We’re moving away from a cash-only society, often rejecting physical money completely in favor of having an easy and fast payment method. Ever since COVID-19, our priorities have evolved even more to account for contactless payment methods due to concerns about the health and safety of shared surfaces or prolonged physical interaction.

Payment fraud was on the rise when PCI compliance standards were invented back in 2004. Major credit card holders including Visa, Mastercard, Discover and American Express joined together to create a set of standards that would guide safe transaction processes and integrate anti-theft measures into all different businesses, thus making customer experiences safer across every industry.

Together, these credit card companies established twelve requirements that all businesses have to follow if they accept credit or debit—and restaurants are no exception. These standards are regularly updated to be continually effective as technologies, trends and cybercrime all evolve with the times. There are four compliance levels, where businesses fall based on how many card transactions they process per year.

  • Level One: 6M transactions or more
  • Level Two: 2-5M transactions
  • Level Three: 20K-1M transactions
  • Level Four: 20K transactions or fewer

Many restaurants fall under category four, meaning that they need to comply with the standards applicable to that level. The twelve requirements are further grouped into six “goals.” They go like this, as explained verbatim by the PCI Security Standards Council:

Objective 1: Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Req 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Objective 2: Protect Cardholder Data

  • Req 3: Protect stored cardholder data.
  • Req 4: Encrypt transmission of cardholder data across open, public networks.

Objective 3: Maintain a Vulnerability Management Program

  • Req 5: Use and regularly update anti-virus software or programs.
  • Req 6: Develop and maintain secure systems and applications.

Objective 4: Implement Strong Access Control Measures

  • Req 7: Restrict access to cardholder data by business need-to-know.
  • Req 8: Assign a unique ID to each person with computer access.
  • Req 9: Restrict physical access to cardholder data.

Objective 5: Regularly Monitor and Test Networks

  • Req 10: Track and monitor all access to network resources and cardholder data.
  • Req 11: Regularly test security systems and processes.

Objective 6: Maintain an Information Security Policy

  • Req 12: Maintain a policy that addresses information security for employees and contractors.

Compliance can be a tricky, albeit necessary thing. That’s why many tools exist to help you meet those standards and stay that way, despite changing regulations and evolving cybersecurity threats to your restaurant.

Now, many credit card processing vendors will test your compliance and give you what you need to operate their systems safely. Most of the time, processors’ hardware and software come PCI compliant so you don’t have to worry, however it’s important to remember that you need to maintain safety standards throughout your entire operation—and the liability falls squarely on your shoulders. So even if someone promises compliance, it’s best to conduct your own tests just to be positive you’re following all the rules. Now, many credit card processing vendors will test your compliance and give you what you need to operate their systems safely. Most of the time, processors’ hardware and software come PCI compliant so you don’t have to worry, however it’s important to remember that you need to maintain safety standards throughout your entire operation—and the liability falls squarely on your shoulders. So even if someone promises compliance, it’s best to conduct your own tests just to be positive you’re following all the rules.

Fortunately, there are many tools available to make it more manageable. There are many self-assessment questionnaires, or SAQs, online that you can then submit to the bank you use for your merchant account, and they’ll review it to determine whether you meet standards accurately. For added protection, you should also consider using a PCI Approved Scanning Vendor (“ASV”), which will provide another security layer. Using all of these readily available tools makes it easy to follow compliance standards, thus easing some of the trouble and concern over handling these problematic concepts, standards, and systems required to run your business.

Compliance isn’t optional. Maintaining optimal security standards is necessary to your customers, which makes it pressing for you too. Complying with PCI standards also reduces your risk of penalties and fines from your bank, card vendors and merchant processor. Aside from the potential fees, you should avoid data breaches by implementing as many security measures as possible because cyberattacks cost millions of dollars to repair on average—which is to say nothing of the damage that such a scandal can do to a reputation.

It can be difficult to remember all the different rules and regulations you’re expected to follow when you open a new restaurant, or even years into the game when you’re so used to the flow of things that checking in on regulatory standards may slip your mind on the day to day. Use the tools are your disposal to make sure your restaurant is PCI compliant so you can go back to doing what you do best: Great food and excellent customer service.

Leave the technology to the experts—get a demo with eatOS today to find out what else we can do to make your restaurant more manageable and more cutting-edge than ever before.

Editor's Picks