Many restaurant owners have their heads buried in the sand when it comes to payment security.
It’s understandable. Payment security isn’t a very exciting topic. There’s a lot of confusion. It’s easier to assume your vendor has you covered than to ask and find out you aren’t covered.
While payment security does have a lot of technical complexities, the basics are straight-forward — enough that you should be able to understand your situation and ask the right questions of your vendors.
With that in mind, here’s some knowledge and advice to get you started.
The PCI (Payment Card Industry) Security Standards Council has a very clear set of requirements concerning payment security as it relates to POS systems. The following three security measures work together to protect you and your customers. Their importance cannot be overstated.
Tokenization — The process of taking a cardholder’s primary account number (PAN) and replacing it with a substitute value called a token. If a criminal gains access to the token, it has no value and cannot be used to access card data.
P2PE (point-to-point encryption) — The process of encrypting cardholder data at the point of swipe, dip, or tap until the data reaches the payment company. This is accomplished using cryptographic keys that are known only to the payment company itself. If a criminal intercepts any data, it’s unusable.
EMV — A credit and debit card with an embedded chip that ensures that the card being used at the point of transaction is authentic, thus reducing fraud.
At this point, your POS and payment technology should be using all three forms of security. Your vendor should be able to confirm your standing. Most vendors today are using tokenization and P2PE. If you lack anywhere, it’s most likely with EMV.
As of Oct. 2015, fraudulent charges due to transactions occurring with a non-EMV-compliant payment terminal are charged back to the merchant. The EMV transition in the US was a mess for many in the payment industry, and delays and confusion were common. Today, things are much clearer, and yet some vendors still haven’t upgraded their software to support EMV.
Additionally, some restaurants have chosen not to pay for upgrades to their payment devices to support EMV. Such a decision is short-sighted since EMV upgrades are very affordable today and bring value-adds such as the ability to accept trendy NFC payments.
Online Transactions Must Meet New Standard
A Transport Layer Security (TLS) protocol is used behind the scenes to ensure the data transmission between two online systems is secure. The PCI Council set a June 30, 2018 for systems using “early” TLS version 1 to upgrade to a newer version to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
If you collect payments with an online ordering system or have any form of e-commerce, you’ll want to check with your vendors to ensure that their solutions are using at least TLS 1.1 (TLS 1.2 is strongly encouraged). The penalties for not complying could be high. In fact, there have been reports of some payment companies disabling merchants who do not meet these new standards.
Poor Security is Inexcusable and Avoidable
Credit card security is probably the last thing you want to deal with as a busy restauranteur. Unfortunately, it’s necessary to protect you and your customers. However, that doesn’t mean security has to be a burden. If your current vendors are lagging in any of the above areas, it might be time to make a change. With the right partner, you can trust security to them while you focus on delivering quality food and service.
Image courtesy of varinsights.com