PCI Compliance and Your Point of Sale Solution
The payment security landscape can be daunting. But keeping your restaurant and your guests safe from data breaches doesn’t have to be. That’s why we’ve enlisted the help of NEXTEP’s Chief Security Officer Marshall Cummings to give succinct, actionable advice to every restaurateur looking to shore up their payments process.
This is the second in a series of posts aiming to make the fundamentals of payment security easily understandable and decidedly less repulsive than they otherwise might be. Read part one: 3 Basic Payment Security Measures to Take Now.
As WannaCry wreaks havoc among hospitals, banks, and telecommunications companies, and Chipotle and Wendy’s reel from breaches of their own, the subject of PCI compliance has never seemed more pertinent.
The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that accepts, transmits, or stores any cardholder data. The regulations cover networks, hardware, firewalls, employee training, and beyond. Restaurants, of course, are faced with the challenge of keeping up with PCI standards or dealing with the wrath of guests (and the press) when they don’t.
So where do you begin? Start with the hub of all transactions: your point of sale. POS is one of the most critical pieces of the payment security puzzle. In order to choose the best POS for you, you’ve got to know the right questions to ask. So, here are 3 key questions to ask of any POS provider in your bid for PCI compliance and total payment security…
1. Is the POS solution PA-DSS compliant?
Because why shouldn’t we throw in another acronym?
The Payment Application Data Security Standard (PA-DSS) is a set of rules and regulations that dictates how payment software and applications should act within the PCI landscape.
If the POS is PA-DSS compliant, move on to the next question. If it’s not PA-DSS compliant, cross it off the list because it’ll take you out of the running for overall PCI compliance.
2. Does the POS support team practice a PCI compliant remote access methodology?
Beyond PA-DSS certification, POS providers should offer software support methods that are PCI compliant.
As an example, our remote access system leverages a multi-factor authentication process by Bomgar, which adheres to the PCI DSS requirement 8.3.2 which reads: “Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.”
3. Can the provider help ensure that their POS operates properly within your virus protection program?
Since POS providers do not install, configure or maintain your firewalls, there’s a limited amount they can do with respect to this requirement. But, they may choose to give you a leg up where they can.
For example, to assist our customers with this task, we inform them up front of exactly what paths NEXTEP data (along with any vendor’s cardholder data) must take through their firewall, so that the customer can easily permit only those paths, in order to create what is commonly referred to as a whitelist firewall. A whitelist makes it harder for unauthorized users to gain access to your system.