Credit Card Compliance and What This Means to the Independent Restaurant Owner
The "CISP" (Cardholder Information Security Program) was instituted back in 2001 by Visa USA as an information security standard to help protect Visa® cardholder data from getting into the wrong hands. In 2004, this program became an industry standard known as PCI (Payment Card Industry) DSS (Data Security Standard) from the efforts of Visa and MasterCard® to create common industry security requirements.
In September 2006, five major credit card payment brands (Visa International, MasterCard Worldwide, American Express, Discover Financial Services and JCB) collaborated to form the PCI Security Standards Council as an independent body to oversee the development of the PCI data security standard.
The PCI standard is a compilation of technology requirements for retailers and companies that process credit cards to ensure the protection of cardholder data by establishing industry standards for securing networks and software applications, maintaining a vulnerability management program, and verification of compliance through third-party assessment.
What does this mean for you? The short answer is this: If you accept credit cards, particularly if you process credit card charges through your POS system, then you need to take a proactive approach to becoming PCI-compliant.
For the last couple of years, PCI compliance efforts have been directed toward credit card processors, acquirers (bankcard service provider) and larger merchants. The Visa CISP initiative classifies merchants into four distinct levels based on the number of transactions processed annually and defined as follows:
- Level 1: Any merchant, regardless of acceptance channel, processing more than 6 million Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
- Level 2: Any merchant, regardless of acceptance channel, processing 1 million to 6 million Visa transactions per year.
- Level 3: Any merchant processing 20,000 to 1 million Visa e-commerce transactions per year.
- Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing 1 million or fewer Visa transactions per year. This includes most small merchants, including independent restaurateurs.
Likewise, the other credit card company brands (MasterCard, American Express, Discover and JCB) have similar merchant level delineations. PCI compliance efforts have thus far been largely directed toward merchant levels 1 through 3 because most transactions involving sensitive cardholder information pose a greater risk when that data is compromised. Last December, Level 1 retail giant TJX Companies Inc. reported that hackers may have compromised the data of more than 45 million cardholders. TJX has spent at least $256 million dealing with this breach and it is not over yet for three New England Banking Associations, as individual banks are now filing lawsuits. What will probably happen is a class-action lawsuit of all the cardholders that had their information stolen, with damages.
Closer to the restaurant industry home, Chipotle Mexican Grill Inc. reported in its 2005 annual report paying more than $1.3 million in fines from Visa and MasterCard as a result of possible theft of customer cardholder data that led to more than 2,000 incidents of fraudulent charges, which occurred prior to August 2004.
The TJX and Chipotle incidents involved larger merchants that process millions of transactions per year. With Level 4 having the qualification of fewer than 1 million Visa transactions per year, virtually all independent restaurants are considered Level 4 merchants. However, with the validation process well under way, nearly half of merchants in levels 1 through 3 are now in compliance, with the remainder in the process of becoming compliant, or face fines, up to $500,000 per incident, for any merchant or bankcard service provider that is compromised and not compliant at the time of the incident. This includes independents.
Now the major credit card brands are turning their efforts toward Level 4 merchants, which very likely includes your business. Their big concern is that there are hundreds of thousands of merchants using POS software for credit card verification -- much of which is not PCI compliant. The problem is that many of the noncompliant software programs store the track data that is embedded in the magnetic stripe on the back of credit cards. Perpetrators can use this data to create duplicate plastic credit cards that can be sold on the black market and then used to run credit card charges to their limits before the cardholder is aware of the theft.
To Continue Learning




