GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Unbanked, underbanked - untapped


Industry Update

HR 5546, the downside

Uncle Sam to get slice of payments pie

Private equity giant going public

MWAA meeting goes the distance

PCI on the menu

Scott Henry

Three-step systemization

Biff Matthews
CardWare International


The consulting guru that could

Industry Leader

Linda Perry –
Unfettered spirit, extraordinary success


PCI on the menu

Scott Henry

Three-step systemization

Biff Matthews
CardWare International


Street SmartsSM:
To Capitol Hill we go

Jason Felts
Advanced Merchant Services

Becoming registered

Adam Atlas
Attorney at Law

Check processing diversification: Hop aboard

Christian Murray
Global eTelecom Inc.

Invest in trust

Jeff Fortney
Clearent LLC

Web site optimization: A route to talent

Curt Hensley
CSH Consulting

Lead with communication

Daniel Wadleigh
Marketing Consultant

Company Profile

GreenSoft Solutions Inc.

New Products

Keep alert with merchant accounts

Mercury Payment Systems LLC

Turbo charge PCI compliance

TurboPCI Inc.


For better or worse





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

August 11, 2008  •  Issue 08:08:01

previous next

PCI on the menu

By Scott Henry

Restaurants are prime hunting ground for criminals intent on stealing credit card numbers and personal identities. High sales volumes, complex operations and the large number of individuals involved in typical transactions present multiple opportunities for compromise of cardholder data - and, of course, an opportunity for ISOs and merchant level salespeople (MLSs) to educate restaurateurs and sell appropriate security solutions.

Restaurants large and small are equally bound to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Once on the leading edge of card acceptance strategies and technologies, restaurants, in general, have slipped far behind other industries when it comes to modern payment transaction systems.

Many eateries may be using older POS systems that store cardholder data in violation of PCI DSS rules; others are using outdated card acceptance terminals that don't meet current PCI PIN entry device (PED) standards, making them easy targets for tampering.

Dining establishments are one of the few remaining environments where transactions occur out of sight of the cardholders, creating the potential for the practice known as card skimming.

According to industry estimates, more than 40 percent of all card fraud originates in restaurants. Trustwave, a leading provider of on-demand data security and PCI-compliance management solutions, reported that of the 350 incidents it investigated, more than 54 percent involved restaurants.

Under the PCI mandates, merchants are responsible for the physical security of their payment devices, as well as the actions taken by their employees. It's likely countless restaurant operators are relatively clueless regarding their responsibilities and the potential ramifications of their ignorance.

Restaurant operators need to be educated regarding their responsibility to protect customer data so as to avoid damage to their sales and their company brands in the event of a card-account theft incident.

Helping them achieve PCI compliance represents a tremendous opportunity for ISOs and MLSs to win over new customers and create trusted relationships that will lead to additional sales opportunities.

Facing PCI reality

Until recently, PCI compliance efforts were focused mainly on larger merchants classified as level 1 and level 2 by Visa Inc. But as those larger organizations have increasingly come into compliance, attention has turned to ensuring compliance among smaller organizations. Level 3 and level 4 merchants are moving into the spotlight.

In an indication of how deep the potential market is, Visa said level 4 merchants account for more than 99 percent of the merchants that accept Visa. Therefore, "cardholder data compromises affect level 4 merchants with greater frequency than level 1, 2 and 3 merchants combined," Visa said. In fact, 80 percent of identified compromises since Jan. 1, 2005, have occurred at level 4 merchants.

The PCI DSS now requires acquirers to develop risk assessment programs to identify and manage risk among their merchant populations. Under this program, acquirers may require even the smallest merchants to undergo a quarterly network scan to identify security problems.

Achieving PCI compliance

Attaining PCI compliance tends to be difficult for restaurants because the requirements can be difficult to implement, maintain and monitor. However, the payments industry has developed a wide array of new PCI-compliant products that help restaurant operators ensure secure card practices and make it easier to validate compliance.

Numerous technical and administrative tasks are associated with implementing PCI compliance. Below are some tips you can provide restaurant operators to help ease the process:

Today's typical hospitality business uses a cash register or standalone POS terminal that sits in a fixed location. Each credit and debit card transaction requires multiple steps: The customer waits to receive the check, hands over a card, waits for it to be taken to a counter or back room, and finally is handed a receipt to sign. As consumers grow increasingly concerned about card security - and desire to use PIN debit cards - more and more merchants will be looking to accept payment at the point of service. Portable payment solutions virtually eliminate the possibility of card skimming, while increasing speed of payment and improving customer service.

A couple of years ago, in scoping out the needs of the restaurant industry, VeriFone recognized the need for purpose-built payment systems that would utilize secure wireless technologies to meet the needs of those offering table service, takeout service at the curb and even home delivery.

A key requirement was portable payment acceptance in a system that is impact-resistant and spill-resistant, not to mention easy for a server to use while dealing with trays, dishes, wine-pouring and all the other service attributes consumers expect.Wireless, PCI PED-approved systems are completely portable and allow consumers to keep their credit or debit cards in hand. The solutions improve the efficiency of servers and counter clerks, freeing up their time to focus on serving the guests instead of processing payments.

Helping restaurant operators understand these new solutions represents a gateway to new sales opportunities. Not only can you help these customers meet PCI requirements, but you can also help them achieve greater productivity and save money by taking full advantage of the lowest cost processing options. That should win you rave reviews.

Scott Henry is Director, North America Product Marketing, for VeriFone. Contact him by e-mail at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios