The PCI Security Standards Council just released updated requirements for organizations that handle data on credit-card holders and must comply with the Data Security Standards (DSS). That means restaurants, at least if they accept credit cards, must comply with the new standards that become effective Jan. 1, but are not mandatory until 2015. Like the previous versions, PCI DSS 3.0 isn’t all that easy to understand, unless you double as your business’ IT director.
The good news is there are no major changes to the updated standards, and they are actually easier to navigate. Version 3.0 includes more best practices, password education and point of sale security training and education.
“There really is nothing additional or more complex,” says Rodolphe Simonetti, managing director of Verizon’s payment card industry services. “It’s really about making the standard easier to read and manage.”
For example, he says, this version clarifies the penetration testing requirement that comes with a PCI assessment. The “scope” of the assessment includes only the computers and systems that have access to the credit-card data, if they are properly segregated from the rest of the IT systems. The penetration test is important, he says, because it allows a PCI-approved company to test the vulnerability of the system and data related to credit-card processing (the scope), “rather than wait for a bad egg to find out it’s vulnerable.”
Simonetti says although the process of PCI compliance can sound daunting to a restaurateur, the current trend is for merchants to outsource credit-card processing and IT systems to PCI-compliant and -approved vendors. “This solution guarantees that between the point of sale and the providers and bank that everything is encrypted and the merchant can’t see it, which drastically reduces the scope of the assessment,” he says.
Basically, a restaurateur using only PCI-approved vendors is PCI compliant by default. “More and more merchants within retail, travel and hospitality are looking at this approach so they can focus on the core business and leverage service providers who can manage payments for them,” Simonetti adds.
Check out the PCI Security Standards Council website for more details and resources on how to be compliant, a list of qualified companies and products and more.