American Compliance Laboratory

Point of Sale (POS): PCI & Credit Card Security Background

From the day magnetic strip cards was introduced to people, both restaurant owners and their customers have been enjoying the convenience of accepting and using credit and debit cards. However, given the sky high cost and frequency of credit fraud, well established card brands (Visa, MasterCard, American Express, Discover and JCB) have taken preventive measures to safeguard their stakeholders.

It was in 1968 when IBM created the magnetic stripe on credit cards and became the industry standard. Given that the track data on the mag stripe can easily be read and duplicated, the branded cards, the Payment Card Industry (PCI) Security Standards Council built a set of standards protect cardholder data, and it begins with the directive: ‘Don’t store track data.’

PCI Standards

The PCI Security Standards Council had a three-pronged approach to protecting consumers, banks and merchants/restaurateurs:

* PCI DSS (Payment Card Industry Data Security Standard) ? includes all entities that store, process, or transmit cardholder data: Merchants, restaurateurs, service providers, processors, etc.

Compliance Deadline: Month of January 2007 (deadlines are long passed)

What it Means – Restaurant owners, regardless of their establishments' size, must complete and submit a PCI Self-Assessment Questionnaire to their Acquiring Bank every year.

* PA?DSS (Payment Application Data Security Standard) ? embraces all applications used to store, process, or transmit cardholder data as part of authorization or settlement. (
Point-of-Sale (POS)
application developers)

Deadlines for Compliance:

Oct. 1, 2008 ? Payment processors, agents and merchants must use software that is compliant with the new payment application security standards.

Oct. 1, 2009 ? Terminate any noncompliant payment applications that merchants might still be using in their environments will be required.

July 1, 2010 ? Mandates the use of only those payment applications that support the new standards.

What this Means – After these deadlines, merchants/restaurateurs that are still using a non-PA DSS-validated application, they automatically fail the PCI assessment and could lose their ability to accept credit cards.

* Pin Entry Devices (PED) Standard – includes all PEDs and is aimed at ensuring that the cardholder’s PIN, and any sensitive information are protected consistently at a PIN acceptance device, like your resident keys.

Deadline for Compliance:

Jan. 1, 2004 ? To all newly purchased
Point-of-Sale (POS)
PIN Entry Devices should pass testing by a Visa recognized laboratory and approved by Visa.

July 1, 2010 ? Mandates that each Point of Sale (POS) PEDs must have passed the testing of a PCI recognized laboratory and been approved by the PCI SSC.

What this Means ? All Merchants/restaurant owners gets two years to replace their old and unapproved PIN Entry Devices.

PCI Do's

1. Do routine vulnerability scans of your systems.
2. Do security awareness training for all of your staff.
3. Audits for system access.
4. System activity logs should be monitored.
5. Access privileges must be removed for separated employees.
6. Install software patches.
7. Be serious when it comes to any threats, device an incident response plan.

PCI Don’ts

1. Whole credit card numbers should not be stored or archived.
2. Transmitting credit card information unencrypted should not be practiced.
3. With PCI, it's not just about making you compliant with the standards – it's all about making you and your customers protected.

PCI's Effect on Restaurateurs

Given consumers’ expectation of universal acceptance of using credit cards, merchants'/restaurateurs’ validation that they are providing protection to their customers' personal data is helpful for business:

Business Reputation / Image

For a highly competitive business – a restaurant owner does not want to be named in the media as the place were card data was stolen.

Protects Ability to Accept Credit / Debit Card Payments - by not complying and/or a breach can jeopardize a merchants'/restaurateur’s ability to accept credit/debit payments. There are cases that 80% to 90% of transactions are through credit/debit payments. Losing your store's ability to accept credit/debit cards can cause reduced customers = reduced sales.

Impact of State Privacy Laws

A failure to meet one's obligations that discloses personal credit card information with any of the 40+ States with privacy laws may have a double impact on a restaurateur. Being off-side with PCI might result in fines and lawsuit costs. Being off-side with State Privacy Laws is a crime punishable by confinement with potentially more serious penalties.

Compliance / Security Strategy

• By making sure your restaurant or store uses PA?DSS or PABP validated POS systems
• Ensure you are using an approved PED
• Arrange for regular security awareness training for your employees, especially for supervisors
• Do background checks on any employee with administrative access to your system
• Have your staff sign a ‘Confidentiality Agreement’
• When it comes to your PCI Self Assessment Questionnaire (SAQ), carefully and accurately complete the form and when you're not sure with your answers, just ask
• If gaps in PCI compliance are identified, develop a realistic plan to remediate them
• Be matured in sustaining compliance
• Access controls
• Dual factor for system and device management
• Proper storing of your strong passwords and secure passwords
• Regularly monitor system activities for possible attacks and record evidences
• Controlling your wireless access points
• Maintain secure configuration
• Segment networks
• Have an Incident Response Plan and test it to make sure that it's always ready when needed
• Test and audit the cardholder environment carefully

It may be difficult task the first time but when all the above are in place, a PCI compliance is not an expensive undertaking. It is good business practice to protect the sensitive information of your customers.

About the Author

If you would like to know more about this topic or have a question in mind, you may ask for advice with our Restaurant POS professional serving your area.

The author of this article is the Vice President of Customer Relations at POS-for-Restaurants.com with over 20 years experience in the restaurant point of sale industry.

3 Reasons Why Drug Testing Patients Is The Right Thing To Do

A recent study by the Institute of Medicine showed that 1 in 3 Americans is dealing with chronic pain, with the cost of pain in the US over 500 billion dollars a year. Amazingly, 20% of physician visits include a narcotic prescription.

Narcotic prescriptions in the US over the past 10 years has been exponential. When pain doctors Arizona write for opiates, they are taking on significant liability. That liability may be mitigated by some safety methods. The first is a pain agreement between the physician and patient setting the compliance boundaries.

A 2nd method of safeguarding is the pharmacy board's state monitoring system. They exist in over thirty states, and are key in helping figure out patients who are doctor shopping.

One of the best methods for safeguarding the physician prescribing opiates at an AZ pain clinic is drug testing, and here are three reasons why it is important:

1. Protecting Yourself: A substantial number of individuals receiving narcotics, over twenty percent in fact, will divert their prescriptions. This may seem surprising, but even people who are retiredat times need to supplement their fixed income by selling their medications. Drug testing helps make sure folks test positive for the narcotics they are actually being prescribed. If the person is selling his or her drugs and one of the buyers is involved in a tragic auto accident, that prescription may be traced back to the prescribing physician. Assuming the individual has been compliant with their pain agreement, the state pharmacy monitoring board history is looked at, and the urine drug screening has been consistent, it would be very difficult to find fault with the prescribing physician. Protecting Yourself:           A significant number of patients receiving narcotics, over 20% in fact, will divert their prescription medication. This may seem surprising, but even retired individuals sometimes need to supplement their fixed income by selling their prescriptions. Drug testing helps ensure patients test positive for the medication they are actually being prescribed. If the patient is selling their medication and one of the buyers is involved in a fatal car accident, that prescription may be traced back to the prescribing doctor. Assuming the patient has been compliant with their pain contract, the state pharmacy monitoring board history is checked, and the urine drug screening has been copacetic, it would be extremely difficult to find fault with the prescribing doctor.
2. Protecting your practice: As pain management blossoms as a medical specialty more state medical boards are recommending urine drug testing for patients receiving narcotics. Eighty percent of narcotics are written for by primary care doctors, so this recommendation applies to all providers writing these medications.
3. Protecting Your Patient: People will at times trade their narcotics for illicit drugs like cocaine, ecstasy, or LSD. Unfortunately, this may deteriorate the condition and place their life at risk with cardiac reaction of potential overdose. One of the best ways to protect against this is saliva or urine drug screening. The test includes both the major prescribed medications along with the most common illicit drugs. One trick people will use is taking some of the prescribed medication the morning of their doctor visit. The way to check for this is to send the sample into a lab for a confirmation of metabolites. It takes time for metabolites to show up, and people often do not know this. Another trick individuals will a attempt is utilizing bleach or other adulterants to cheat a positive illicit test. Sending the sample in for confirmation will evaluate for these too.   

The major overlying theme for why it is the right thing by pain doctors in Phoenix to drug test patients summed up in one word: PROTECTION. Making sure patients comply with the opiate program will allow for better results for one's pain patients along with establishing appropriate safeguards for the physician and the practice.

An Inside Look at DPW's Materials Testing Lab (Mini-Doc)