What you Don’t Know about Data Security and your POS
by Larry Fiel, VP of Marketing for PDQ Signature Systems
Amid the array of acronyms that represent the data security standards put forth by the Payment Card Industry for vendors who develop payment applications and merchants who accept and/or store credit card data are the co-mingled responsibilities for safeguarding consumer transactions. Understanding exactly what these standards mean and how best they can be adhered to can be the difference between sustained business growth and the erosion of financial assets and customer confidence in your restaurant.
The goal of this article is to provide you, the restaurant owner, with an educational overview of what is required—and needed—to properly, securely and compliantly protect your business, employees and valued customers from all forms of cyber-crime.
Enacted in unison by the major credit card companies, Payment Card Industry Data Security Standards (PCI DSS) encompass a wide range of security requirements that card-accepting merchants need to fulfill. Non-compliance of PCI DSS can result in chargebacks, fines and penalties—including loss of card use.
PA DSS—or Payment Application Data Security Standards—are PCI-mandated regulations for software vendors who develop payment applications that store, process or transmit payment cardholder data.
PCI Compliance as a Partnership
In short, these standards mean that your POS provider must be PA DSS compliant and you—the merchant—must be PCI DSS compliant. Most often, however, there is a “hard” line between what your provider needs to do and what you need to do to achieve compliance. Some POS companies leave the arduous task of becoming PCI DSS compliant fully up to the merchant by offering self-serve information. Others utilize a third-party security provider to piecemeal a “solution” that is often less than what is required for full compliance. But the best POS providers innately understand that data protection is integral to a merchant’s success and, accordingly, work with the merchant to ensure the data integrity of his/her business.
The process of proactively assisting a business owner in becoming (and remaining) PCI compliant is an opportunity for a POS provider to demonstrate committed value. A provider who treats compliance as a partnership is likely to treat all business initiatives as goal-centered endeavors that help solidify long-term relationships.
PCI DSS for POS Providers?
PCI DSS compliance is not just for merchants! PCI DSS compliance also applies to companies that provide services that control or impact the security of cardholder data, including POS providers and managed service providers that provide firewalls, intrusion detection services, etc.
Many POS providers, however, are not PCI DSS complaint, as compliance is a rigid and costly process. The select POS providers who are PCI DSS compliant have proven their commitment to security best practices and the ongoing safeguarding of cardholder data.
“Out-of-Scope” is a process that completely separates the POS from card data. When out of scope, the POS transmits transaction details to a PCI certified device, which securely captures card data, communicates with the merchant’s payment processor, and then passes a response back to the POS. Since the POS never receives sensitive cardholder data, it is out of scope for PA-DSS requirements.
Because an out-of-scope solution isolates the POS, it also frees the POS provider from being PA-DSS compliant. However, there are some POS providers that leap ahead of their competitors by being out-of-scope AND gaining PA-DSS compliance. These elite few adhere to software development best practices to build a better product with enhanced product integrity.
QIR refers to a company that is a PCI Qualified Integrator & Reseller. Per PCI requirements, a vendor that implements, configures, and/or supports payment applications must be QIR certified.
The company and its employees earn certification and there is a 36-month re-certification process. Only QIR certified personnel can install and/or service payment devices, POS applications and POS terminals.
Self-Awareness Questionnaire (SAQ)
PCI DSS requires business owners to complete an annual Self-Awareness Questionnaire (SAQ) regarding their compliance with PCI DSS. Detailed and technical in nature, SAQ completion can be a very daunting, time-consuming task. But if you have a comprehensive, compliant security solution from an approved vendor, this chore could be lessened as most of the needed information should be pre-filled on your behalf.
EMV Payment Devices
An acronym for Europay, MasterCard and Visa, EMV refers to “chip-enabled” credit/debit cards. PCI DSS require the use of EMV-enabled payment processing units. In 2015, a “liability shift” made merchants who do not employ EMV-enabled payment devices financially responsible for EMV credit card fraud.
A less-touted (albeit meaningful) benefit of using EMV payment devices is the ability to accept Near-Field Communication (NFC) payments, such as Apple Pay, Android Pay, and Samsung Pay. This form of contactless payment via a smartphone is wildly popular with millennials and its use continues to grow.
Holistic Data Protection
While the focus of PCI DSS is on the protection of credit card data, there is additional data that needs to be protected, including sensitive employee, store and customer information. This information typically resides on the network that is connected to the POS—and without additional security, it is vulnerable to breaches from employees with memory sticks and the connected world via the internet. Locking down the POS without fortifying the “back-end” is akin to locking your front door and leaving the rear door wide open!
Many POS providers, however, do not have a comprehensive end-to-end data protection solution, as they believe their scope is limited to credit card data. In reality, they’re saying the responsibility falls on the business owner to secure anything that is not directly related to PCI DSS, including social security numbers, store profit/tax statements and addresses/phone numbers.
One Call to One Vendor, Any Time of Day
Issues that require service and support do not always occur when it’s most convenient, nor do they always arise between the hours of 9-5, Monday through Friday. And when there are multiple vendors providing multiple services, such as your POS provider, data security vendor, hardware security supplier, etc., the time to resolution can increase dramatically.
A POS provider that has a 24x7x365 help desk–and offers a suite of security products and services that are managed in-house–provides assurance that any issue will be addressed in a timely, expedient and effective manner, without the inherent and frustrating delays that accompany vendor-to-vendor communications (and finger-pointing).
What to Look For in a POS Provider
The complex path to PCI compliance and end-to-end cyber security is fraught with detailed specificity and arduous processes. A POS provider that is certified by the PCI for utilizing PCI best practices in product development, excels in end-to-end data and cyber-security, and treats the entire process of security as a partnership with the merchant will ensure a simplistic transition to compliance, safeguard all types of sensitive data, and ultimately protect a business’s most valuable asset: its brand.
The following checklist of POS provider “musts” will help ensure you find the right POS company for your growing business:
- PA-DSS compliance (regardless of in-scope or out-of-scope payment processing)
- PCI DSS compliance
- QIR certification
- SAQ pre-fill
- EMV-enabled payment devices with NFC capabilities
- A comprehensive, PCI compliant security solution in which the point-of-sale is sold in tandem with protective cyber-safeguards for your store’s ENTIRE environment
- “In-house” management of all security products and services
- An expertly trained help desk that is available 24x7x365
Your business deserves nothing less…
PDQ Signature Systems
For over 30 years PDQ POS, from PDQ Signature Systems, a multi-award winning provider of point-of-sale systems for the restaurant industry, has been helping local independents and nationwide franchises/chains sell more food to more people more efficiently—while controlling costs and saving time/effort. Learn more at PDQpos.com or call 877-968-6430 today.
About the Author
Larry M. Fiel, VP of Marketing, PDQ Signature Systems
With 35+years of proven experience and leadership in product marketing, business development, communications, public relations and service & support for numerous verticals in the private and not-for-profit sectors, Larry has leveraged his technology prowess with the ability to create, foster and propagate a company’s most important asset: its brand. Larry is also an educator, author and mentor–and has earned both an MBA and MS in MIS, along with a BS in Education in English and a BA in Marketing.
Image by U.S. Department of Defense Current Photos (130504-N-IE116-072) [Public domain], via Wikimedia Commons
Other Point of Sale articles of interest: