New technology tools in the restaurant industry present new opportunities for businesses to streamline operations. However, this boom in technology also comes with security and hacking risks, especially in payment processing.
How can you protect your business, your customers, and your data while adopting new technology? It is more important than ever to maintain security standards such as your restaurant’s PCI compliance. With the current trend toward cashless transactions, there should be an increased emphasis on PCI compliance in your restaurant business.
While many in the restaurant industry have heard of PCI compliance for restaurants, the concepts and guidelines can seem complicated. However, it’s critical to maintaining a successful business and trustworthy reputation. Fully understanding PCI compliance is necessary for any restaurant using technology today.
What is PCI compliance?
PCI compliance, also referred to as PCI DSS compliance, stands for Payment Card Industry Data Security Standard. It was started in 2006 by a group of payment processors, including Visa, Mastercard, JCB, Discover, and American Express.
According to the official overseeing organization, the PCI Security Standards Council, PCI compliance is a security standard that applies to any business that stores, processes, or transmits cardholder data. For businesses of all sizes, if you process credit cards in any way, the system should be fully compliant with PCI standards.
The PCI Security Standards
To stay relevant to a changing technological landscape, PCI standards have been updated since their inception. PCI compliance is based on the current standards and regulations businesses across all industries must follow to accept credit and debit cards.
Compliance is regulated across a business’ card processing system. This covers the IT infrastructure that stores, processes, or transmits payment information, from a server POS terminal to your restaurant accounting software.
Why is PCI compliance important for restaurants?
Following PCI standards protects both your business and your customer’s information. Your point-of-sale (POS) system processes and stores enormous amounts of sensitive information. If you are not taking necessary precautions to protect your data, you are taking a large risk.
PCI compliance for restaurants is not required by law, so a restaurant cannot face criminal charges if they are not compliant. However, if your business has a data breach and is found to noncompliant, your business faces tough consequences.
Whether you are a small restaurant business or an international restaurant brand, the PCI Security Standards Council can levy enormous fines that can easily put you out of business. Even if your business survives the steep fines, the damage to your reputation may prevent your business from ever recovering.
How to become PCI compliant
Most credit card processors provide helpful resources and tools for their business customers to become PCI compliant, and will even market their products’ compatibility with PCI standards.
However, your responsibility as a business doesn’t stop there. Your hardware or software may be PCI compliant, but that doesn’t guarantee that your restaurant business is compliant. As a restaurant operator, you have a responsibility to oversee full PCI compliance, both in the technology used and the security systems you have in your restaurant.
If your processor doesn’t provide specific resources for PCI compliance for restaurants, you may need to research the compliance process yourself. Your business will fall into four “levels” of compliance, based on the number of transactions your business completes per year. Many restaurants are considered “level 4,” which allows you to oversee your own compliance through a self-assessment questionnaire.
The PCI process is made up of many steps. If you are starting the process, one of the best resources comes from the official overseer of PCI Compliance, the PCI Security Standards Council.
Seven tips for maintaining PCI compliance
When some restaurants achieve “PCI Compliance,” they mistakenly view their work as done. However, because technological threats and breaches evolve constantly, your business needs to constantly stay up to date on compliance. Cybersecurity and PCI compliance is managing risk, and it requires consistent effort to respond to new challenges. To start, here are seven tips for maintaining your PCI compliance.
1. Use a Firewall
With Wi-Fi networks now available in most businesses, your data may be accessible to hackers if you do not implement security measures like a firewall. A firewall is a barrier between your internal network and untrusted networks. It can help protect information from leaving your network by isolating certain traffic, such as data from your POS terminals, preventing payment data from leaving your network and being accessed by unauthorized users.
2. Use an Anti-virus Program on Your POS Systems
Your POS system stores a large amount of extremely valuable data, making it a prime target for hackers. Ensure your anti-virus and anti-malware software is completely up to date on your networks and your hardware. Properly configured security software will help make sure your POS and any device connected with POS integration is protected.
3. Delete Credit Card Data
Your POS system should already use industry-standard encryption or tokenization when it is transmitting debit or credit card data. This means that this data is kept safe, because it is not stored in your restaurant. In rare situations such as an internet failure or temporary POS system outage, you may need to temporarily store credit card information. However, not storing credit card data, or regularly deleting data, is the best practice to remove the payout for hackers and ensure the safety of your customer data.
4. Use a Strong Password and Change Your Passwords Often
A common vulnerability in many restaurant cybersecurity efforts is weak staff passwords. If your vendors or software provides you with stock passwords, consider mandating system-wide changes. In addition, regularly requiring staff to change their passwords and meet certain security requirements in their passwords can help you ensure your system is as strong as possible.
5. Limit Customer Data to Select Staff
To further keep customer data safe, limit which employees have access to data. The fewer points of employee access, the fewer opportunities for hackers. Ensure that you are thoroughly training your staff on cutting-edge cybersecurity best practices. Finally, consider creating a unique ID for different users who have access to customer data, which will allow you to create a trail to audit if there are breaches or issues.
6. Keep Your Network Password Protected
Your network security should already have a proper firewall, but you will also want to ensure it is fully isolated from the public and can only be accessed by certain users. Your network password should follow the same high-security standards as individual user passwords, and it should be changed regularly.
7. Keep Your POS Software Up to Date
Most modern, cloud-based POS systems are connected to automatic updates, but some older software may need to be manually updated. Ensure your system is behaving correctly and is protected through regularly scheduled support checks and installations of updates.
Consequences of PCI noncompliance for restaurants
Although PCI compliance for restaurants requires time, effort, and resources to implement, it is a worthwhile investment when compared to the extraordinarily expensive fines levied on businesses with a security breach. IBM has estimated that the average data breach costs a business $3.92 million, which is enough to put almost any restaurant out of business. Even if your restaurant does survive the fines, the damage to your business reputation can be enough to shutter your doors.
The level of noncompliance penalties from credit card companies will depend on your transaction volume and other specifics of the situation, but you may also lose your ability to be a merchant or accept credit card payments in the long term. PCI standards are the industry standard for a reason: a data breach can not only hurt your name, but it can destroy your business.
In today’s hyper-connected world, if you process credit cards, your system must be fully PCI compliant. Protecting your customer data not only protects your reputation, but it’s also good business.
Restaurant365 incorporates restaurant accounting software, restaurant operations software, inventory management software, payroll + HR software, and scheduling software into an all-in-one, cloud-based platform that’s fully integrated with your POS system, as well as to your food and beverage vendors, and bank. Restaurant365 has security controls and practices in place to protect your restaurant data.