PCI Compliance for Restaurants

To ensure your restaurant is PCI compliant, there are certain measures you need to take to prevent your customers’ personal information from becoming compromised. In addition to making sure your WiFi connection is safe and secure and your restaurant technology up-to-date, this also means training your staff to properly handle guests’ credit cards and personal information.

What is PCI Compliance?

PCI compliance is a set of standards for all merchants who process credit or debit card transactions, no matter how big or small they may be. The compliance must be demonstrated across a business’ entire IT infrastructure – basically, any device that can store, transmit, or track customer card data.

The six major requirements for PCI compliance are:

  1. Build and maintain a secure network connection and infrastructure
  2. Protect customer cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

Why Your Restaurant Should be PCI Compliant

By ensuring PCI compliance you protect your customers’ personal card data from potential breaches and downtime, while also reassuring them that your restaurant is a trustworthy establishment.

PCI compliance also protects you, the owner, from stiff penalties and astronomical fines, which can include:

  • Investigation of your point-of-sale (POS) system
  • Non-compliance fines with VISA and MasterCard
  • Reimbursement for purchases made using stolen cards
  • Replacement of stolen credit cards
  • Higher fees from banks and lenders

choosing a POS - Upserve

That’s why you as a business owner need to take measures to protect your guests from possible identity theft and yourself from a potential lawsuit or loss of income. These measures don’t just include having proven security policies for your internal business, but also the manual removal of credit card data from your POS system and connected terminals. This includes:

  • Full cardholder account number
  • Cardholder name
  • Expiration date
  • Magnetic stripe data
  • EMV chip data
  • PIN numbers (where appropriate)
  • All authentication data

Most cloud-based POS systems will handle the deletion for you, while this will most likely have to be done manually (and regularly) if you are using a legacy system.

8 Ways to Ensure PCI Compliance in Your Restaurant

Here are a few things you can do to start testing and implementing PCI compliance in your restaurant. It is not an exhaustive list, so be sure to reach out to your POS provider, payments processing company, Wifi provider, and/or bank to ensure you are meeting the standards for full PCI compliance. 

1. Use a Firewall

By establishing a digital barrier between payment data and a public internet network, you can help ensure critical cardholder data doesn’t become exposed to other businesses, guests, or even random strangers. The prevalence of WiFi networks seemingly everywhere means data can easily be accessed if you’re not careful. A firewall keeps your restaurant PCI compliant by helping to protect this data from leaving your network.

2. Delete Cardholder Data

You don’t need to keep credit cards on file, and a good POS system will handle the deletions for you. But if, for some reason, you have a definitive, justifiable business reason for keeping specific cardholder data, be doubly sure it’s stored separate from your primary POS network and is securely encrypted to ensure PCI compliance.

tableside emv compliant pos

3. Change Your Passwords Often

When you get set up with a new POS or other credit card processing system, the vendor will often set you up with a generic password like “1234” or something else simple and easy to remember. Change these stock passwords immediately after your system is set up, then establish a regular cadence of password changes to help ensure that only qualified staff members can access cardholder data or any other business information.

4. Update Your Restaurant POS Software ASAP

While modern POS systems remain fully connected and updated by their cloud-based nature, some legacy software needs to be updated manually. If this is the case with your restaurant, be sure to establish the time to regularly check, download, install and troubleshoot updates before service, so there are no surprises once the doors open to your customers, and you are required to be PCI compliant.

5. Keep Cardholder Information Available to Select Staff Only

Your waitstaff might handle cardholder information, but there’s no reason they need to actually see the information. Swipe or insert the card, process the payment, return the card – this is all the exposure they’ll need. If any members of your restaurant, such as management, have access to cardholder data, make sure they only see it outside the view of other staff.

In fact, it might even be best to limit who handles card transactions entirely, to further your case for full PCI compliance. On that note…

6. Keep Card Transactions Out of Public View

This is another “no-brainer” that many restaurants fail to perform. Card processing should be kept, whenever possible, out of view of guests or the public. Creating a small nook or alcove in your establishment, away from prying eyes, will go a long way toward ensuring the card details stay between the customer and the POS system.

An even better option is to invest in a device that takes tableside payments. This way, the guest is in full view of their credit card at all times, lowering the risk for both themself and your restaurant’s PCI compliance.

7. Reduce the Number of Card-Not-Present Transactions

If you’ve ever wondered why your POS provider charges you more for card-not-present transactions, it’s because the risk of fraud is higher. While you can’t eliminate card-not-present transactions completely, like in the case of online ordering, make sure that keying in a credit card number is a last-resort option when swiping or dipping a card is possible.

8. Make Sure Your System is Also EMV Compliant

While the US still has some catching up to do, EMV readers – aka “the chip” – are currently the global standard for credit card safety. By ensuring that your POS and payments processing complies with EMV standards, you’ll protect your guests’ data and protect yourself from chargebacks.

What Happens if You Don’t Adhere to Restaurant PCI Compliance Regulations?

Depending on the severity and magnitude of the violation, breaking PCI compliance could mean credit card companies could impart fines upwards of $100,000. But looking beyond the financial ramifications, a restaurant owner’s biggest concern when choosing to ignore PCI compliance is the loss of trust.

  • Lost trust from customers, who will choose other restaurants to frequent
  • Lost trust from creditors, who will prevent your business from accepting these cards
  • Lost trust from regulators, who will levy even stronger penalties for further non-compliance.

If you’re in the foodservice business, these three items sound like a recipe for failure – one that will result in the inevitable closure of your business if it is not rectified. So, despite the additional steps needed to keep your restaurant PCI compliant, these extra measures pale in comparison to the work necessary to fix a violation.

See How Upserve POS Can Help Prevent Fraud at Your Restaurant!

66% of businesses have found meeting EMV compliance standards a challenge. Feel confident about your restaurant and EMV with the ultimate guide.

Download The Guide
Written by   |  
Stephanie is a Providence, RI native and eight-year food industry veteran. As Upserve's Content Marketing Coordinator she creates materials that help restaurateurs, managers, and service professionals succeed. When she's not writing, Stephanie is most likely traveling, cooking, or trying new restaurants.