Understanding the Importance of the PCI Data Security Standard
PCI Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The PCI Data Security Standard applies to all organizations that hold or process cardholder information from American Express, Discover, JCB, MasterCard, and Visa branded credit and debit cards. The PCS standard was designed to ensure that companies apply rigorous procedures and systems to protect cardholder data from theft. All companies who accept these credit cards, regardless of their size, must adhere to the PCI DSS requirements, but larger merchants must also go through a third party audit by a Qualified Assessor to verify that the 12 requirements that make up the PCD DSS are met.
One of the PCI Data Security Standards (8.3) requires multi-factor authentication for remote access to networks and systems where credit card data is stored or processed. Multi-factor authentication requires an additional factor be used to verify a user’s identity. In most cases, a username and password are the first method. With multi-factor authentication, a second method of authentication is required.
For instance when you call your bank in order to obtain you balance and you are asked for a PIN or personal information that only you should know, such as the name of your favorite movie or your mother’s maiden name, multi-factor authentication is being put into play. Rather than using only a single form of authentication, multi-factor authentication requires the addition of multiple factors to prove the authenticity of the caller. Asking the caller to provide multiple pieces of information, like their account number and PIN or their account number and the answer to a secret question, is better than using just one piece of information to verify the identity of the user. However, multi-factor authentication is best when you combine two different types of authentication. An example is using a physical device like an ATM card in conjunction with a secret like a PIN. Other examples of multifactor authentication involve using a security token or fob in conjunction with a username and password. These methods offer stronger security by requiring both something you know and something you have to authenticate.
Many websites have accounts for users that require web authentication. This may require the input of additional personal information to authenticate who you are so you can obtain access to your online account. With password phishing attacks on the rise, requiring multi-factor authentication for websites can really help protect against identity theft and fraud.
How to pass a PCI card and the security of credit cards for retail POS and Conservation: Background
Information General PCI and security of credit cards
Restaurateurs and their customers have long been enjoying the convenience made by credit cards and debit cards for many years. However, given the high cost of heaven and the incidence of fraud credit card brands such major Visa, MasterCard, American Express, Discover and JCB have taken preventive measures to safeguard their stakeholders.
IBM was the one who invented the magnetic stripe of credit cards in 1968, which became the industry standard. Since the data track is easy to read and reproduce on the magnetic stripe card brands, with all the standards that the Payment Card Industry Security Standards Council has built he clearly stated the First Directive ". Do not store track data
The Payment Card Industry (PCI) Standards
The PCI Security Standards Council has adopted a three-pronged approach to protect consumers, banks and retailers / restaurants:
* PCI DSS (Payment Card Industry Data Security Standard)? covers all entities that store, process or transmit cardholder data: Merchants, restaurateurs, service providers, processors, etc.
Deadline for Compliance: January 2007 (the periods are long past)
That means – Restaurant owners, regardless of the size of their schools, must complete and submit a PCI self-assessment questionnaire their acquisition of the Bank annually.
* PA-DSS (Payment Application Data Security Standard)? involves all the applications used to store, process, or transmit cardholder data as part of authorization or settlement. ( title = "Point of Sale (POS)"> Point-of-Sale (POS) application developers)
The deadlines:
October 1, 2008 – Only software that is compatible with the new standard for payment application security must be used by agents, merchants and payment processors.
October 1, 2009 – Termination of all claims that non-compliant could still use in their environments necessary.
July 1, 2010 – Mandate the use of only claims to support the new standards.
That means – If after the deadline, a merchant / restaurant is not running a PA-DSS validated application, meaning they automatically fail their assessment PCI and could lose their ability to accept credit cards.
* Pin Entry Devices (PED) standard – it covers all developing countries and aims to ensure that the cardholder PINs, and all sensitive information such as key resident, are always protected an accepting device PIN.
Deadline for compliance:
January 1, 2004 – For all the newly acquired target = "_blank" title = "Point of Sale (POS) "> Point of Sale (POS) PIN Entry Devices, they must go through a Visa-recognized laboratory and approved by Visa.
July 1, 2010 – Mandates that each point of sale (POS) EPA shall have passed the test of a PCI recognized laboratory and approved by PCI SSC.
This Means – All merchants / restaurants have two years to replace their old and / or non-approved PED.
The Do with industry payment card (PCI)
* Do routine vulnerability scans of your systems. * You have an awareness training the safety of your employees. * Checks to access the system. * Monitor your system activity logs. * Separated Employees must have access privileges removed. * Install software patches for your system. * Be serious when it comes all the threats, the device responds to incidents plan.
Don'ts of Payment Card Industry (PCI)
* Total of credit card numbers should not be stored or archived. * Do not send credit card information unencrypted. * With Payment Card Industry, it is not just to make you conform to these standards – it is now, you and your customers protected.
What Restaurateurs Get IBD
Given consumers' acceptance of waiting for more of this using credit and debit cards, the restaurant they are validating the privacy of their customers is good business:
Corporate Reputation / Image
In any competitive business – not the restaurant owner does not be appointed as placed where card data was stolen.
Protects ability to accept credit / debit card – By failing to respect and / or violation may endanger the ability of a conservator to accept payments from credit / debit card. There are cases that 80% to 90% of transactions are credit / debit card accounts. Lose the ability to accept your restaurant credit cards, customers reduced.
The impact of laws on privacy
Failure to comply with all rules that discloses the individual data credit card with one of the 40 + states governed by the privacy laws may have double impact on the side of the shopping / restaurant. Be offside with PCI can result in penalties and court costs. Be offside with the State laws on protection is a crime of sanctions may be more serious.
/ Security Policy Compliance
* Make sure you use a PA? DSS or PABP validated system POS * Make sure you use a DEP approved * Have regular safety awareness training for your staff – especially supervisors * Do background checks on anyone who has administrative access to your system * Have a contract "agreement Privacy "with your staff * When you complete your PCI Self Assessment Questionnaire (SAQ), carefully and accurately complete the form and when you are unsure of your answers, just ask * If the PCI compliance gaps are identified, develop a realistic plan to straighten * Maintain controls to ensure compliance maturity * Access controls * In the system and device management, always a factor double * Passwords strong and secure password storage * Monitoring to detect the presence attack and save * Check your wireless access points * Maintain a safe configuration * Networks Segment * Maintain an incident response plan and test * Review and audit of the enabling environment
It can be a daunting task the first go round, but when the above are in place, PCI compliance is not an expensive undertaking. It is good business practice to protect sensitive information that your customers entrust you with.
About the Author
If you would like to know more about this topic or have a question in mind, you may ask for advice with our Restaurant POS professional serving your area.
The author of this article is the Vice President of Customer Relations at POS-for-Restaurants.com with over 20 years experience in the restaurant point of sale industry.
Comment