10 Things Every Bar or Restaurant should be doing for PCI Compliance
We’ve been dealing wit PCI Compliance now for almost 10 years. During this time, we have been able to identify the 10 key areas that should be Best Practice policies for all bars and restaurants in Los Angeles and anywhere for that matter.
You’ll find that implementing at least a third of these practices will improve your bar or restaurant s PCI compliance resilience. It’s not as daunting as it might sound at first and that many (if not all) of them are fairly easy to do. They do require ongoing adoption of the practices to make the difference. Adjust and Done is NOT A THING when it comes to Security and or especially PCI Compliance
1) Use a Hardware Firewall
a. Firewall systems are designed to keep unauthorized users from accessing any data in your network. What’s great is that installing a firewall software system isn’t that hard. Both Mac and Windows operations systems come with prebuilt firewalls, but they are only as resilient as the machine they are on. Once the host is compromised, all security is too.
b. A separate Hardware Firewall, like a SonicWall or Cisco Security Appliance, provides Network Level protection with far greater and necessary security abilities. All independent of the host computers on the network. This type of protection provides a Protective Barrier for your entire network.
c. They must be configured to get the most out of the appliances. Default settings and credentials are not strong enough by themselves. Keeping Firmware up to date, a minimum of once a year, is key to maintaining the current protective tools and knowledge available from manufacturers who identify new threats if not flaws in their own systems and apply necessary patches to mitigate these issues.
2) Use a reputable combination of anti-virus, malware protection, and phishing / SPAM protection service, software or programs, and make sure they’re continually updated. Set and Leave is not PCI Compliant.
a. These types of Cyber Security software programs are another necessary tools you can need to implement in order to protect your systems against malware and other viruses and other threats that can take your system down for hours. Causing potential cut off access to your POS. Which can lead to direct loss of monies and transactions!
d. Note: It’s important to continually update them, though. If your anti threat software system isn’t updated, it’ll be more vulnerable to newer malware and viruses. Sometimes leaving you even more exposed than having nothing at all, well not really. But just as dangerous!
3) Change DEFAULT CREDENTIALS on all Connected Solutions
a. If you install any new hardware or software (especially any that is directly involved in credit card transactions) into your environment, NEVER use the default system passwords that come with them. Most hackers know what these passwords are since the vendors post them on the websites for genuine support reasons, so if you don’t change them, they’ll be able to easily hack into your system.
b. Using a 3rd party solution to manage and store your saved credentials is a good idea to encourage to implement the Best Practice vs allowing the solutions be the reason for noncompliance.
4) Make sure that the only Management have access to cardholder data are the ones that need to know this information.
a. The keys to the Kingdom should be guarded like a stack of gold. Giving everyone full access to things because it’s easier is not PCI Compliant. Unique credentials for everyone is a MUST!
b. Keeping sensitive credit card data limited to specific members of your team (you, your general manager, your IT manager, etc.) will demonstrate a Best Practice on your part in the event of a breach and audit for any Bar or Restaurant.
5) Never store sensitive cardholder data on your hardware, in your software directories, or anywhere and especially any offline like printed reports or logs.
a. If you were to store this information anywhere – even, say, having a credit card number written on a piece of paper that’s lying around – you would open up the possibility of fraud. Have a Policy in place that teaches Management what to do when they have credit card numbers on any paper. Faxes, authorization forms, photocopies, and even carbon copies can all be areas of exposure
b. By avoiding storing any sensitive data, you can prevent the likelihood of this information being shared and or stole
6) Use password-protected, data encrypted, wireless access points with unique individual credentials
a. Wireless is necessary in every environment so securing the devices that access your wireless network is as important as locking up at night and turning on the alarm. Using a single set of wireless credentials for everyone allows for anonymous activity on your network. Not to mention bandwidth loss and potential internet abuse that gets your business backlisted and internet access hut off = no credit card processing = LOSS.
b. Creating an individual set of credentials allows for accountability for all actions that are performed on your networks. And in the even of a termination, you can simply disable that person’s access vs changing it for everyone and on all connected devices.
7) Make sure all POS system, local computer and other system passwords are strong and updated every 90 days.
a. Have you ever been prompted to make a new password and had to meet specific parameters like including a number, at least one capital letter, and at least one symbol like # or %? What might seem simple can make a password much stronger – and thus, harder for a hacker to guess. That’s why the first step with your POS system and other systems is to implement strong passwords.
b. Also, update your passwords every 90 days. That way, they’re fresh, ever-changing, and less vulnerable to hackers. Using an often built in option of not allowing a user to use a similar password for 5 changes. For example, no “Mom1” and then try Mom2”. “Mom1” and then “Dad1” would be different enough, but maybe not as tough to crack.
8) Only use approved PIN Transaction Security (PTS) devices.
a. Approved PTS devices are devices that have been certified by the PCI Security Standards Council and therefore are ones that you know are PCI compliant from the get-go.
b. Generally, most PTS devices are payment terminals. You can see the whole list of approved PTS devices on the PCI website here.
9) Only go with a Trusted and Validated Payment Application to process credit card payments.
a. The PCI Security Standards Council also keeps an updated list of approved Validated Payment Applications – or payment processors – which meet their standards for PCI compliance. (Check out all of the approved Validated Payment Applications here.)
10) Use a current reputable POS software that you know will help you be PCI compliant.
a. In addition to hardware and payment processors, it’s equally as important to use a POS software that is guaranteed to help you be PCI compliant and protect your customers’ credit card data.
b. If you’re looking at new software solutions, evaluate whether or not the systems have PCI compliance controls built in. (NCR, Micros, and Aloha have many PCI Compliance tools integrated with the solutions and stay up to date with software and processing requirements for you.
c. If you already have a POS software system in place, keep it and the computer it’s hosted on updated. Many POS software systems now are made to be safe, but only if they’re continually updated. Have an Operating System that’s not implementing the latest available security patches, updates, and definitions can be worse than having an outdated POS. Either one can cause system downtime. By now, you know how I feel about downtime and associated losses.
PCI Security Standards are industry Best Practices you can follow to prevent potential data breaches or credit card fraud.