YOUR ATTENTION IS REQUIRED

 Printer Friendly Version

As unfair as it may sound, you will be unable to fight the credit card industry if they come knocking on your door. If you are not following PCI DSS guidelines, you will be fined. VISA has stated that the cost of a forensic audit generally begins in the 30K – 35K range, and your credit card agreement states that you agree to pay it.

As you are aware Team Howard Inc. has been notifying clients of the changing laws and requirements that have been instituted by the Payment Card Industry (PCI) regarding the Cardholder Information Security Program (CISP).

 

PCI Data Security Standard (PCI DSS)

The PCI DSS version 1.1, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

As a merchant that accepts and processes credit cards you are required to establish and perform the following 12 steps as outlined by the PCI Data Security Standard (PCI DSS).    

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data and sensitive information across open public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security 

*Your action is required*. You may be storing credit card data that is not allowed under current PCI DSS rules. You must verify your Digital Dining software version and embrace the 12 step process as outlined by the PCI. Failure to take corrective action may result in fines and penalties that could cost you tens of thousands of dollars from the governing bodies within the credit card industry (PCI). Make no mistake, if you are subject to a forensic audit of your credit card security procedures (regardless whether or not auditors know of or find a breach or compromise) the financial impact will be severe and may jeopardize your establishments solvency.  We apologize if this notice causes stress, but we must be sure you are totally aware of the financial risks involved and inform you that non-compliance is NOT an option.

Current PCI DSS compliant version of Digital Dining software is level 7.3.03 and above.

Do not take our word for it. Contact your credit card processor and confirm the information we are distributing regarding current PCI DSS regulations and the risks associated with non-compliance. We realize the Hospitality Industry faces many challenges, but PCI DSS compliancy must be on the front-burner.

For your convenience we have listed various websites and links that have more detailed information regarding the PCI DSS requirements.

About the PCI Data Security Standard (PCI DSS)

https://www.pcisecuritystandards.org

Visa USA Cardholder Information Security Program (CISP)

http://usa.visa.com/download/merchants/cisp_overview.pdf?it=c|/merchants/risk_management/cisp_tools_faq.html|CISP%20Overview

Current list of Visa’s Validated Payment Applications (you’ll see Digital Dining listed)

http://usa.visa.com/download/merchants/validated_payment_applications.pdf

Payment Card Industry (PCI) Data Security Standard (17 page manual that you can download)

https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

PCI Blog - Compliance Demystified

                http://pcianswers.com/

More FAQ’s regarding PCI DSS

http://www.protegrity.com/pci-faq.htm#8

Menusoft (creators of Digital Dining) PCI DSS Info

http://menusoft.com/CCSecurity/CCSecBody.html

PCI Self-Assessment Questionnaire (Level 4 Merchant)

https://www.pcisecuritystandards.org/docs/saq_c_v1-1.doc

PCI DSS Frequently Asked Questions (FAQ’s)

 

Q. How do I determine my current Digital Dining software version?
A. If you are at the Digital Dining file server (usually in the office), open the Digital Dining Back Office Program. The version number is located in the top left corner of the window. If you are at a point-of- sale terminal, double-touch the bottom blue bar (where the time is located.) The time will change to the current Digital Dining version.

Q. What steps do I need to take to comply with the current PCI DSS regulations?
A. Immediately call Team Howard (518-885-8051) and initiate an upgrade for your Digital Dining POS system. *Having a POS system that is PCI DSS compliant is only one aspect to PCI DSS compliancy*, you must educate yourself, your staff, and become familiar with and follow thru with the 12 steps outlined by PCI DSS that is provided above.

Q. What if I refuse to comply with the PCI DSS regulations?
A. You risk severe financial hardship. The PCI may prevent you from changing your current credit card processor, and you also may start to see increased credit card processing rates for merchants that are using a non-compliant version of POS software. The PCI would like to see you upgrade to a compliant POS software version and they are currently considering several options that will in the end force you to upgrade your software and require you to institute new policies and procedures that protect credit card holder data.

Q. How much does my upgrade cost?
A. It depends on your current version, # of optional modules, and 3^rd party interfaces.

Full Version Upgrade - Full version software upgrades (IE: 7.2 to 7.3) is 10% of the current retail price of the Digital Dining software for your configuration plus any travel and labor for our technicians to perform the upgrade. If the retail price is currently $5000, your software upgrade would be $500 plus time. Current billing rate is $100 per hour.

Inner Version Upgrade – Inner version software upgrades (IE: 7.3.2 to 7.3.03). There is no cost for the software itself, however travel and labor for our technicians to perform the upgrade is billable.

*Payment Options* - *Software upgrades are pre-paid services.*
1. Purchase 5 hours at $100 per hr.
Time spent over 5 hours will be net invoiced, unused time may be refunded or a credit can be
issued.
2. Purchase a block of ten hours for $800 (save $200).
If more than 10 hours is required, client may purchase an add'l block of 10 hours.
If less than 10 hours is used, client can use the leftover time for any labor services
provided by Team Howard. There are no refunds or credits for unused block hours that
were purchased at a reduced rates.  

Q. Is there anyway for our restaurant to minimize the software upgrade costs?
A. Yes.

Perform Maintenance Procedures - Call our office for instructions on how to prepare your POS system for a software upgrade. There are maintenance procedures and utilities that must be performed prior to every software upgrade (to safe guard your historical data) that if accomplished before hand will reduce the time our technicians spend on-site.

Purchase a Block of Hours – Many clients have taken advantage of our Block Hours Program which allows you to pre-purchase hours at a reduced rate. You can purchase a block of 10 hours for $800 and use those hours for any labor services Team Howard provides.

Q. Are there any other benefits to a software upgrade besides PCI DSS compliancy?
A. Yes. Too many features to list here. View the new features available in Digital Dining 7.3.4. Here!

Q. When will my upgrade occur?
A. Software upgrades will be scheduled on a first come, first serve basis. Generally, within 30 days from date of payment.

Q. When do I pay for the upgrade?
A. Due to expected volume, all software upgrades must be paid for in advance.

Q. Can I continue to use my Digital Dining POS for credit card processing even though I will not be ordering a software upgrade?
A. Yes, we can not stop you from processing credit cards. You will however be asked to sign a disclaimer stating that you are aware of the existing regulations set forth by the PCI DSS and that you and your business will accept all responsibility for your decision

Q. Why must I sign a disclaimer?
A. As a business, Team Howard must protect itself from credit card merchants that may claim they were unaware that their POS platform was non-compliant, unaware of the associated risks of using a non-compliant version of POS software, and in general being unaware of PCI DSS regulations and the security requirements a credit card merchant is responsible to undertake.

Q. Our credit card processor has not mentioned PCI DSS, why is Team Howard so concerned?
A. In our opinion, the credit card processors have not done a good job of informing their clients of the high level risks that exist for today’s credit card merchants and how the current PCI DSS regulations impact their business.

Q. What if I refuse to sign the disclaimer?
A. Your account will be placed on Service-Hold and Team Howard will not provide support for your POS system in any manner.

Q. We cannot afford an upgrade at this time, are there any other options?
A. Yes. Stop using your Digital Dining POS system to process credit cards. Call our office and ask for Diane if you would consider purchasing stand-alone credit card terminals and process credit cards through those devices. We do not however recommend this approach, stand-alone terminals bring their own drawbacks to efficiency and increased labor costs, plus the up-front purchase cost.

Establish, perform and follow the 12 step process as outlined by the PCI DSS and upgrading the Digital Dining software is the best approach, but stand-alone credit card terminals are an option.

Q. If we choose to purchase stand-alone credit card terminals and stop processing credit cards through the Digital Dining POS are my PCI DSS concerns over?
A. No. The computer that runs the Digital Dining POS (usually located in your office) may still have credit card holder data that must be removed. Consider purchasing a block of hours, or choose to pay normal labor rates but do call our office to arrange having the data removed. You still must follow the 12 step PCI DSS process even if you are using stand-alone credit card terminals.

Q. Will my credit card processor shoulder any of the costs associated with a POS software upgrade that their industry is forcing upon merchants?
A. We are not aware of any programs available at this time but it does not hurt to ask your credit card processor.

Q. Can I pay for the Digital Dining software upgrade with a credit card?
A. Yes. Team Howard accepts, Visa, MasterCard and Amex.

Q. After a Digital Dining software upgrade are all my PCI DSS compliancy concerns over?
A. NO. Merchants are responsible for maintaining a secure data environment which involves addressing many issues and procedures (PCI DSS 12 step process). Visit the websites we have attached and educate yourself on this topic and absolutely call your credit card processing representative for further information.

Q. What happens if the PCI DSS regulations change?
A. This is absolutely going to happen. The PCI DSS has under gone many changes and will continue to evolve as the challenge to protect credit card holder data changes. POS software companies can only continue to react to any new PCI DSS regulations and compliancy hurdles.

Q. Realistically, is my restaurant at risk of a security breach; after all, we are not Sears?
A. Yes. Hackers know that there are many retail establishments that are not compliant with current PCI DSS regulations and will target the vulnerable sites. Bear in mind, having a compliant POS system is only one aspect to PCI DSS compliancy. You can experience a data compromise that has no connection to your POS system.

Q. Can credit card data be compromised even though I have a PCI DSS compliant version of Digital Dining software installed?
A. Yes. Visit www.youtube.com and search for “credit card skimmer scam”. It’s an alarming video, but you will quickly realize just how serious this problem of protecting credit card data has become.  It’s only an example of one way to steal credit card data, there are other ways. Employees can take photos of cards, imprint cards with a manual imprinter, write down numbers, remove imprinted slips from your business etc.

Q. Why would an employee steal credit card data?
A. The data can be sold.

Q. Does Digital Dining offer Pay-at-the-Table?
A. Yes. Digital Dining has Hand Held ordering and Team Howard has installed it locally. There are many, many benefits to using the Hand Held option, but allowing a server to process a diner’s credit card without leaving their table (or the diner’s sight) is getting the most attention at this time. We even recommend to sites that use our Digital Dining Hand Held devices for ordering and Pay-at-the-Table service to place it in their advertising. As consumers become more concerned about credit card fraud, they will appreciate knowing which restaurants are providing a secure environment and it may even begin to influence where they spend their dining dollars.

Q. When it comes to PCI DSS compliancy, is my Digital Dining any different then other POS systems?
A. No. POS software companies around the world have spent considerable time and money addressing PCI DSS regulations and having their software platforms validated as compliant with current PCI DSS regulations.

Q. This whole situation is upsetting and unfair, who can I complain to?
A. We couldn’t agree more. Our best suggestion is to call your credit card processor or local political representative.