So you just upgraded your system to a shiny new POS system. Your software is now at the forefront of technology. You shouldn’t have to worry about PCI compliance at this point, should you? Maybe, maybe not.
PCI compliance… What a fickle beast you are. Even after 20+ years in the hospitality POS industry, consumer card protection is the one topic that never gets old. For those of you without direct experience with it, here’s a little education on the PCI.
Depending on your POS platform, you will either be considered an “on premise vendor” which requires you to fill out SAQ C or SAQ D. Each of these have their own separate compliance, questions, regulations, etc. etc. If you have integrated credit cards in your POS system, you will either be a SAQ C or D. Seems easy enough, right?
The Self-Assessment Questionnaire is a list of questions that the PCI council put together for each merchant to ensure their compliance. Also, the council put together a prioritized approach to the PCI DSS which is outlined in the handy chart below. Depending on where you are on the chart, there are specific things that must be done to stay PCI compliant. Per the chart, your POS is involved with step 1. Depending on the version of software you are running, there could be some card numbers lingering in the system from the pre-PCI days, but most POS providers have built in a scrubbing tool by now to get rid of these.
Step 2 is related to your network. Ensuring you have a perimeter firewall, a log service, monitoring solution to test the compliance is also something that is part of the DSS.
Step 3 also involves your POS system. Ensuring the windows versions are up to date with the latest supplied vendor security patches as well as your POS being on a currently supported version are paramount. The PCI DSS landscape continues to change and every 2 years the POS providers need to ensure compliance. So if your POS version is more than 2 years old, you may not be in compliance; make sure you are on the latest vendor supported versions.
Steps 4-6 are unrelated to the POS section of your business, but are internal business processes that the restaurant needs to comply with.
So in answer to “Since I JUST upgraded my POS, am I automatically compliant?”…maybe. Compliance goes beyond just a safe POS network. You could be doing things like updating the patches to your windows environment, ensuring a properly maintained firewall, doing log management and any number of other things to make sure you are compliant. There are several companies out there to partner with that will help you with compliance if you need further assistance, contact your account manager for clarification.
For more information, visit https://www.pcisecuritystandards.org/.
SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced
SAQ B – Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage.
SAQ C-VT – Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage .
These SAQ levels, for the most part, are not applicable to restaurants with integrated credit systems. SAQ C and D are the only ones that are relevant and it depends on your version and method by which you process cards. If you store only tokens, you would use the SAQ C and if you are a standard POS system, you would most likely be a SAQ D – the most intensive category.
SAQ C – Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage
SAQ D – All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ