The Green Sheet Online Edition
August 11, 2008 • Issue 08:08:01
PCI on the menu
Restaurants are prime hunting ground for criminals intent on stealing credit card numbers and personal identities. High sales volumes, complex operations and the large number of individuals involved in typical transactions present multiple opportunities for compromise of cardholder data - and, of course, an opportunity for ISOs and merchant level salespeople (MLSs) to educate restaurateurs and sell appropriate security solutions.
Restaurants large and small are equally bound to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Once on the leading edge of card acceptance strategies and technologies, restaurants, in general, have slipped far behind other industries when it comes to modern payment transaction systems.
Many eateries may be using older POS systems that store cardholder data in violation of PCI DSS rules; others are using outdated card acceptance terminals that don't meet current PCI PIN entry device (PED) standards, making them easy targets for tampering.
Dining establishments are one of the few remaining environments where transactions occur out of sight of the cardholders, creating the potential for the practice known as card skimming.
According to industry estimates, more than 40 percent of all card fraud originates in restaurants. Trustwave, a leading provider of on-demand data security and PCI-compliance management solutions, reported that of the 350 incidents it investigated, more than 54 percent involved restaurants.
Under the PCI mandates, merchants are responsible for the physical security of their payment devices, as well as the actions taken by their employees. It's likely countless restaurant operators are relatively clueless regarding their responsibilities and the potential ramifications of their ignorance.
Restaurant operators need to be educated regarding their responsibility to protect customer data so as to avoid damage to their sales and their company brands in the event of a card-account theft incident.
Helping them achieve PCI compliance represents a tremendous opportunity for ISOs and MLSs to win over new customers and create trusted relationships that will lead to additional sales opportunities.
Facing PCI reality
Until recently, PCI compliance efforts were focused mainly on larger merchants classified as level 1 and level 2 by Visa Inc. But as those larger organizations have increasingly come into compliance, attention has turned to ensuring compliance among smaller organizations. Level 3 and level 4 merchants are moving into the spotlight.
In an indication of how deep the potential market is, Visa said level 4 merchants account for more than 99 percent of the merchants that accept Visa. Therefore, "cardholder data compromises affect level 4 merchants with greater frequency than level 1, 2 and 3 merchants combined," Visa said. In fact, 80 percent of identified compromises since Jan. 1, 2005, have occurred at level 4 merchants.
The PCI DSS now requires acquirers to develop risk assessment programs to identify and manage risk among their merchant populations. Under this program, acquirers may require even the smallest merchants to undergo a quarterly network scan to identify security problems.
Achieving PCI compliance
Attaining PCI compliance tends to be difficult for restaurants because the requirements can be difficult to implement, maintain and monitor. However, the payments industry has developed a wide array of new PCI-compliant products that help restaurant operators ensure secure card practices and make it easier to validate compliance.
Numerous technical and administrative tasks are associated with implementing PCI compliance. Below are some tips you can provide restaurant operators to help ease the process:
- Set clear business policies for restaurant employees regarding the processing of credit, debit and payroll card data. Many security breaches occur within organizations, so it is critical that policies are clear to employees.
- Inform employees regularly of new or different measures being used to ensure PCI compliance. Make sure employees are up-to-date on any changes that affect the security of data being stored or transmitted.
- Keep records of how restaurants are implementing and validating PCI DSS compliance. Good records will assure that restaurants remain in good standing with the credit card companies in the event of an audit.
- Become involved in all IT decisions regarding PCI compliance implem-entation and validation.
Today's typical hospitality business uses a cash register or standalone POS terminal that sits in a fixed location. Each credit and debit card transaction requires multiple steps: The customer waits to receive the check, hands over a card, waits for it to be taken to a counter or back room, and finally is handed a receipt to sign. As consumers grow increasingly concerned about card security - and desire to use PIN debit cards - more and more merchants will be looking to accept payment at the point of service. Portable payment solutions virtually eliminate the possibility of card skimming, while increasing speed of payment and improving customer service.
A couple of years ago, in scoping out the needs of the restaurant industry, VeriFone recognized the need for purpose-built payment systems that would utilize secure wireless technologies to meet the needs of those offering table service, takeout service at the curb and even home delivery.
A key requirement was portable payment acceptance in a system that is impact-resistant and spill-resistant, not to mention easy for a server to use while dealing with trays, dishes, wine-pouring and all the other service attributes consumers expect.Wireless, PCI PED-approved systems are completely portable and allow consumers to keep their credit or debit cards in hand. The solutions improve the efficiency of servers and counter clerks, freeing up their time to focus on serving the guests instead of processing payments.
Helping restaurant operators understand these new solutions represents a gateway to new sales opportunities. Not only can you help these customers meet PCI requirements, but you can also help them achieve greater productivity and save money by taking full advantage of the lowest cost processing options. That should win you rave reviews.
Scott Henry is Director, North America Product Marketing, for VeriFone. Contact him by e-mail at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.