PCI DSS = Payment Card Industry Data Security Standard
Founded by the major credit card brands to enhance payment account data security
Applies to any company processing, storing, or transmitting payment card data
PCI guidelines are here to help you minimize your risk of losing cardholder data
2. Who in the organization is responsible for PCI compliance?
The business owner is ultimately responsible (and 100% liable) for ensuring PCI compliance within the business
As the risk owner, you have a fiduciary and legal obligation to protect cardholder data at your business
3. Who is at the greatest risk of a security breach?
Payment card breaches occur 2 out of 3 times in the food service industry
Smaller merchants are at the greatest risk because they are less likely to have implemented the necessary security measures to protect their customers and their business
4. Am I obligated to comply with the PCI DSS?
Owner/Operators must adhere to the PCI DSS at ALL times per their Merchant Agreement
All 216 requirements apply every moment of every day
5. What if I only process a small amount of credit card transactions each year, do I still have to comply?
Yes! The PCI DSS applies to all merchants that process payment cards (credit, debit, gift cards, etc.) regardless of size
6. What are the potential consequences of not complying?
Risk of fines, fees and penalties - the average loss per record is approximately $100 and the cost to the business owner can easily run over a million dollars
Risk losing the ability to process payment cards
Negative PR – Franchise brand compromise
Lawsuits
Loss of business – over 60% of customers will not return to a restaurant that has suffered a breach
7. PCI compliance is just about technology, right?
No! PCI Compliance is an overall business issue – so everyone needs to be aware of their role. All it takes is one employee that is not careful with a customer’s credit card or downloads a virus onto the back office computer without knowing it and a hacker could take advantage of that opportunity to access confidential information.
8. How do I report my compliance?
The Self-Assessment Questionnaire (SAQ) is a validation tool put out by the PCI SSC and is intended to assist merchants in self-evaluating their compliance with the PCI DSS. There are multiple versions of the SAQ to address various payment processing scenarios.
Depending on your merchant level, the SAQ is used by merchants and service providers that are not required to undergo an on-site data security assessment, and may be required by your acquirer or payment brand. Your acquiring bank (credit card processor) can confirm, but typically all level 2, 3, and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire on an annual basis.
9. How can I implement the necessary steps in my business to minimize the risk of a security breach and ensure PCI compliance?
The first step in creating a proactive security strategy is to establish a comprehensive Information Security Policy (ISP). The main goal of an ISP is to provide a roadmap for you, as a business owner, as well as your employees on how to handle and protect sensitive information within the business. This covers all aspects of information security from technical requirements (like a firewall) to ongoing education of employees. With appropriate implementation, a security policy will be vital to the long-term health of your organization.
10. Is there a vendor that can provide a solution to help franchisees with PCI compliance?
Yes! With the SecureConnect PCI packages, franchisees are presented with a comprehensive, turn-key solution to protect the payment card environment and maintain PCI compliance, all at a cost-effective price. Learn more online at www.secureconnect.com
