Point of Sale (POS) PCI Compliance

As we have beenspeaking with our restaurant, retail, bar and salon customers about POS System PCICompliance we find that very few of them, even existing merchants, have even heard of the term, much less understand its importance to their business. PCI DSS (Payment Card Industry Data Security Standard) was established by the PCI Security Standards Council whose mission “is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.” (the above is verbatim from the PCI home page http://pcisecuritystandards.org)

We will cover some basic information about Point of Sale PCI Compliance, with an attempt to simplify and reduce the information down to layman’s terms for what the credit card industry calls Level 3 and Level 4 Merchants – merchants who are processing less than 1 million transactions per year. We have also included links to more detailed information for those who want to study further.

What is PCI DSS?

In simplest terms, PCI DSS is the security rules established by the Payment Card Industry regarding the protection of card holder information. Wikipedia has a good overview on PCI DSS.

What Do We Offer Our Customers to Become PCI-DSS Compliant?

POS Nation has partnered with the leading firms in the PCI Compliance world to arrange several exclusive Point of Sale PCI Compliance options for our customers - all with no upfront costs. Call us today to discuss the below plans so our experienced Sales Team can help you find the right plan to protect your business!
(877) 727-3548

PremiumAdvancedBasic

  • Assistance with PCI Self-Assessment Questionaries+++
  • Quarterly System Scans to Detect Potential PCI Security Breaches+++
  • Up to $15,000 Reimbursement for Forensic Audits & $25,000 for Related fines+++
  • $50,000 Guarantee Against Data Breach and Credit Card Theft+++
  • Online Compliance Binder+++
  • PCI Education and Task Scheduler for On-Goinf Maintenance+++
  • Technical Breach Forensic Audit Representation+++
  • Best in Class Firewall from Juniper Networks+++
  • Rogue Device Manager+++
  • Secure Remote Access Gateway+++
  • Automatic Broadband Failover+++
  • IP Data Blocker+++
  • 24x7x7365 Real Time Monitoring+++
  • IP DataBlocker+++
  • Managed Secure Wireless Environment+++
  • Family Friendly Internet Browsing+++

Why Does PCI Compliance Matter to Me?

Because if there is a breach*** in your business, the assessment against your business starts at $10,000 and could easily reach over $100,000 for even a small breach. (Please take a look at this video on You Tube) Running a business POS System without being PCI compliant is like driving your car without having car insurance. Although it's against the law in most states, you can get away with it as long as you don't have an accident. If you have an accident without insurance, the cost, especially if someone is injured, could be in the hundreds of thousands of dollars. Here is a list of some of the fees that can be assessed against your business:

  1. Forensic investigation of your POS system = $10,000-$20,000
  2. Reimbursement for purchases made using stolen cards
  3. Replacement for stolen credit cards = $20-$30 per card. (Just 1,000 cards means $20,000-$30,000)
  4. Fines for Non-compliance with the PCI standard. Up to $500,000 with VISA and up to $200,000 with Mastercard
  5. A nearly priceless loss of Brand Equity

***a “breach” could be a) someone from the internet who could be anywhere in the world, b) someone accessing your wireless network, or c) even one of your employees accessing your card holder data.

What Can I Do About It?

There are several ways to address this situation. The best method for you may depend upon the size of your business. One thing to understand is that integrating credit cards into your POS system does inherently increase your level of risk no matter what software you use. All POS Systems that run on a computer system with an operating system have the same standard.

  1. For smaller businesses, typically the most secure option to combat security issues and liability is to use a standalone dial-up credit card processing terminal. Understanding that this is a technological step backward is difficult for many to understand. Because this terminal does not connect to the computer system it does require the cashier to enter the total sale by hand and it does require making sure that the totals in the standalone credit card terminal match the totals in the Point of Sale System. The reason that this is more secure for a small business is that when credit cards are run through a computer system, someone with the correct resources could accumulate card holder data for a long time period. With a stand-alone terminal, once the batch is settled, the card holder data is erased and there is no way of accumulating a large quantity of credit card numbers. Again, the number of credit card numbers that are accessed in a breach is one of the primary determinations of the assessments (fines and fees) against any business.
  2. We provide a full POS PCI DSS Compliance solution that includes all the elements of the PCI DSS standard. Please call for full details.
  3. Many merchants are purchasing POS Systems from competitors who either a) fail to mention Point of Sale PCI Compliance or b) provide solutions with only a basic level of security that is not even close to the standard. Although we have a solution that we recommend, we understand that there are other solutions out there, and there are merchants who may not choose our solutions to meet the standard. If you would like a system with a basic security package including anti-virus, firewall with Stateful Packet Inspection (one basic requirement), and windows settings configured to limit access to your system, we can provide a solution with basic security.

PCI Misconceptions

MythTruth

  • 1 My software is PCI Compliant Software by definition cannot be PCI Compliant. There is a standard for software called PA DSS (Payment Acceptance Data Security Standard) but PCI Compliance covers much more than software can provide, including but not limited to the network environment in which you place the system and the policies and procedures that you have as a business owner
  • 2 My merchant services provider will take care of everything Most merchant services offer very little in way of providing full PCI Compliance. Some will provide services to make your systems more secure, or provide services that encompass part of the standard, but to date, we have not seen any merchant services company for any of our clients provide a complete solution without sending the merchant to a third-party vendor
  • 3 My business insurance will take care of me if I suffer a breach There are very few insurance policies that cover anything related to computer breaches. You should ask before making the assumption that it will be covered

Additional Resources

PCI Compliance Video from the RSPA
PCI Security Standards Council
PCI Compliance Guide
VISA's page on PCI Compliance
Credit Card Information

****The above information is believed to be correct, however, POS Nation is not to be held liable for any errors, or any damages resulting from errors. This information is for the sole purpose of educating business owners. All recipients of this form are encouraged to do their own additional research or consult with an attorney prior to implementation of any actions that may fringe upon PCI compliance procedures.