PCI Best Practices

In today’s day and age, the security of personal and financial data is of one of the greatest areas of potential risk for a restaurant. In a study released in May of this year, the Bank of Canada stated that,”Canadians pay cash less than half the time for their transactions.” To be accessible to most of Canadians, the acceptance of a variety of payment options is essential.

While PCI compliance is highly technical and involves the communication between your in-house point-of-sales system and your credit card processing terminals, the PCI Security Standards Council has outlined 12 best practices that lead to PCI compliance. You should work closely with PCI-compliant software vendors and credit card processors to answer questions you may have about your systems.

1. Use a firewall between the public network and the payment card data.  There are both software and hardware firewalls. Be sure to keep the firewall updated with the latest release.
2. Do not use vendor-supplied default passwords that come with your internet equipment or devices used in payment processing.  Change the vendor-supplied passwords immediately.
3. If you can avoid it, do not store cardholder data.  This is typically a setting within your POS System. It is rare to have a business need to keep cardholder data but if you must, ensure that it is protected through strong encryption.
4. Use encryption to protect all transmission of cardholder data over any public network.
5. Use antivirus software on all machines in the cardholder data environment and ensure that the software is updated at all times.
6. Ensure that your card processing applications and systems have vendor-supplied security patches installed.
7. Limit access in your systems that contain cardholder data to as few individuals as possible.
8. This one restaurant owners will typically ignore as not to slow down efficiency, but assigning a unique identification (ID) to each user so that everyone is accountable for their own actions is critically important in the cardholder data network.
9. Physical access to the server rooms, reports and other sources to obtain cardholder data should be restricted.
10. Monitor all access to the network and cardholder data environment.
11. Regularly test your security systems and your network environment.  You may do this yourself if you know how, or companies like 1 Stop PCI Scan are certified to assist in this requirement.
    • Yearly penetration testing is required for many businesses. Click here for more information on this requirement.
    • Quarterly external and internal scanning is required for many businesses.  Click here for more information on internal scanning.
12. Maintain a security policy and ensure that all personnel are aware of the security policy.

For more information about PCI compliance standards, visit:

https://www.pcisecuritystandards.org/security_standards/getting_started.php