Too Big for Your Breaches?

We hear about the headline-grabbing data breaches: Target, Home Depot, Neiman Marcus, and P.F. Chang’s come to mind. They’re huge companies and the number of customers impacted reaches into the millions.

The major target for data theft is the restaurant.

The major target is you.

PCI Compliance from 50,000 Feet

To protect you from a data breach—and to protect you from liability in case of a data breach—you have to be PCI DSS compliant. It’s a complex and comprehensive standard: hardly something that can be covered in a short blog post. But I did want to highlight a few of the things you must do to stay compliant.

• Update Existing Technology

Make sure all your technology—that’s hardware, software and your networks—are kept up to date with the latest PCI standard. That includes your POS, your operating systems, and the equipment you’re using.

• Replace Old Technology

Sometimes compliance means updating technology to new versions, but sometimes it means getting rid of the old technology altogether. That’s the case with Windows XP—once Microsoft stopped supporting the OS, it became by definition non compliant with PCI.

• Customize Every Firewall Setting

Here’s the rule when you configure your firewall: no factory defaults allowed. If you’re not a security expert and don’t know the difference between Inbound ICMP and Inbound NetBios traffic, reach out to a security professional for help.

• Tightly Restrict Access

Employee log ins should impose permission levels that restrict or permit a specific employee to access specific parts of the POS. In all cases, make it a policy that passwords are changed frequently. Two-factor authentication is a must for remote access. That means your staff must use two different methods (for instance a keycard and a password, or a PIN and a thumbprint) to gain access to the system.

• Segment Your Network

Segregate your data traffic into network segments. Target highlights the issue: Computerworld reports that the hackers gained access to their data network by using credentials stolen from one of Target’s air conditioning service companies. If the HVAC company was on a different network segment than the one used to maintain sensitive data, that break in would have been avoided.

• Secure Data Every Step of the Way

Restaurateurs deal with three types of data: all have vulnerabilities, and all have to be secured through encryption.

• Data in Use refers to the data that’s actually being accessed at any point in time. That data is on a screen, in a buffer, in cache, in memory: all three are vulnerable.
• Data at Rest refers to the data stored on your databases. That’s the data that gets the most attention when it’s hacked, since the volume of data compromised is so large.
• Data in Motion is the point in between rest and use: it’s the data that’s being actively transmitted across cable or wireless connections.

PCI Compliance is now a requirement. If you’re caught with your PCI breeches down (I couldn’t resist just one last pun), you face potentially devastating penalties, which can approach a quarter of a million dollars per event.

This may not be something you can do on your own. Rest assured, Maitre'D POS software has recently been revalidated and is PCI Compliant. However, it is important to validate that all of the other system's components are also compliant. If you’re not a security expert, bring one in to help you become compliant, and stay compliant. (Our Maitre'D dealers will be able to connect you to those experts.)

THE 12 REQUIREMENTS OF PCI DSS

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.