Protect Everyone Involved: Basic PCI Compliance Tips

Press enter to search
Close search
Open Menu

Protect Everyone Involved: Basic PCI Compliance Tips

By John S. Ellis, Chief Financial Officer, Ray's Restaurants, LLC - 09/02/2008
As many restaurateurs and franchise operators know, it's hard to be an expert in every aspect of business, particularly in the field of technology, which moves as fast as a line chef at peak serving time. The benefit of using new technology is clear as it can generate more sales and greater efficiency, but it also prompts requirements, with respect to maintaining PCI compliance and standards.

Ray's Restaurants, like so many of our peers, doesn't take the risk of lagging behind from a technology standpoint. Yet when it comes to protecting customers, sales and a good brand name, the most practical step is also the most misunderstood for many. The step that I am referring to is to become PCI compliant, a term most restaurant owners are probably familiar with that stands for Payment Card Industry security standards.

An argument for compliance
The PCI standards apply to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. PCI PED covers PIN entry devices and PCI DSS (data security standard) includes security measures like encrypting or masking customer data, regularly updating antivirus software, restricting access to card data to only certain authorized personnel and protecting stored information with firewalls, among other things.

Achieving PCI compliance may seem hard for restaurants struggling to keep up with security requirements, which are sometimes difficult to implement, maintain and monitor. But restaurant operators must realize that the stakes are high and without PCI compliance, business risks can be great. Merchants can and likely will be fined and held financially responsible for charges associated with credit card fraud. Not to mention loss of reputation costs if the security breach reaches the headlines. There are many security firms who can help not only with PCI certification, but also in providing guidance as to how to maintain maximum security so that operators remain compliant at all times.

Compliance suggestions
At Ray's we went through a number of steps to achieve PCI compliance that many operators will find useful. First off, we chose a trusted partner because it is absolutely necessary that we protect ourselves and our customers. We found that it is far more practical to rely on a trusted vendor to ensure that we are fully compliant and that our systems are secure. Our company purchased state-of-the-art point of sale systems for all of our restaurants from one of the top POS manufacturers in the country and implemented VeriFone's TablePAY at all three of our Atlanta locations. In addition, we pay for annual maintenance to ensure our systems are up-to-date with all compliance and regulatory matters. The compliance rules are very complex so we rely on the expertise of our POS support company, a licensed reseller of the POS manufacturer.

When it comes to the workforce, we found that it is important to set clear business policies for your employees regarding the access to and processing of credit/debit and payroll card data. Many security breaches actually happen within an organization, so it is critical that policies are clear to employees and consultants. Employees should also be updated regularly with new or different measures being used to ensure PCI compliance. Make sure that you keep your employees up-to-date on any changes made that affect the security of the data you store or transmit.
Operators should also keep records of how their business is complying and validating the PCI standards. Remember that you may be audited and keeping good records will assure that your company will remain in good standing with the credit card companies.

And lastly, be involved in all IT decisions regarding how your business will comply with the regulations.

John Ellis has served as CFO of Ray's since its inception in July 1996. Ray's owns and operates three fine-dining restaurants in the metro Atlanta area with combined annual sales approximating $18,000,000.