Blake Huebner, BHI: Are you PCI Compliant? [Expert Corner]

In this Expert Corner installment, Blake Huebner of BHI Secure Connect® discusses the importance of PCI compliance as it relates to the restaurant industry.

qsrbuzz™:  In laymen terms, what is PCI compliance and why is it so important to restaurants and restaurant chains?

By processing customer credit and debit cards, a merchant accepts the responsibility and also has a contractual obligation to keep transactions and sensitive data secure in their business environment. The Payment Card Industry Data Security Standard (PCI DSS) is in place to provide guidelines on how credit card information should be handled and what security measures should be implemented to secure a merchant’s cardholder data. The DSS consists of 12 requirements (and many sub-requirements) that must be addressed to reduce risk and effectively eliminate cardholder data breaches.

The rapid increase in the use of credit cards and broadband within the restaurant industry produces a significant need for network security and PCI compliance solutions. As we continue to hear stories of security breaches within the restaurant industry, it has become a significant and necessary business practice.  In addition, many acquiring banks, such as First Data, are beginning to issue fines and penalties to businesses that haven’t documented their compliance with the PCI DSS. The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments.

qsrbuzz™:  How does PCI compliance relate to any impending new regulations in the Northeast or at the national level?

At the national level, PCI compliance is gaining more exposure as security breaches continue to affect merchants both large and small.  Although not yet a law mandated by the federal government, the Payment Card Industry Data Security Standard (PCI DSS) has increased awareness among state lawmakers and encouraged the development of additional state laws in relation to payment card transactions. 

Most recently, a Washington law was enacted that places liability on certain entities including businesses, processors and vendors involved in payment card transactions. The new law is an addition to the state’s breach notification statute that requires reasonable care to guard against unauthorized access of payment card data and determines liability based on the level of negligence. The law also encourages PCI compliance, stating that if a business is in compliance with the PCI DSS prior to the breach, liability will not fall on the merchant. 

Washington is not the first state to enact laws surrounding security breaches. The Northeast states of Massachusetts and New Jersey have both put more rigorous data protection laws in place to help protect residents and businesses from the devastating effects of a data breach.  States across the U.S. including California, Nevada and Minnesota have also enacted similar laws that encourage PCI compliance.

Due out in October 2010, the next revision of the PCI DSS is anticipated to provide merchants with better guidance and a clearer understanding regarding the 12 requirements. Revisions to the PCI DSS take place every two years, with the last major update released in 2008. 

"As news outlets continue to share details about security breaches and improper data handling, consumers will increasingly make purchase decisions based on a merchant’s ability to guarantee secure transactions."

Blake Huebner, BHI.

qsrbuzz™:  Are any of the standards more important than others or more critical?

It is best to approach PCI compliance as a means to strengthen security, instead of simply meet compliance standards.  Fully understanding a business environment is the best place to start when implementing a successful PCI compliance plan. Each and every requirement addresses an important part of proper security.  However, there are some key steps that should be addressed.

Key Steps Include:

• Don’t store cardholder data if you don’t need it for business purposes.
  • Eliminate cardholder data that doesn’t need to be retained
• Limit the exposure of data at risk.
  • Reduce your environment scope through adequate segmentation (firewalling)
• Ensure that your payment card applications are secure.
• Establish an Information Security Policy and abide by it.
• Keep your network and machines up-to-date and protected.
  • Implement a vulnerability and patch management solution
• Monitor your network and machines so that you are aware of potential issues as they develop.
  • Maintain individual accountability through provisioning, logging and monitoring

qsrbuzz™:  How can restaurants evaluate their needs for a PCI compliance program?

Any merchant that stores, processes or transmits credit and debit cards accepts the responsibility of securing card transactions and must implement a PCI compliance program in his/her restaurant environment.  Although needs vary slightly by a merchant’s level of card transactions, data retention and cardholder data environment, PCI compliance does apply to all businesses. Unless you only accept cash (which is highly unlikely for any business today), you will need to comply with the PCI DSS in order to secure your business, protect your customers and meet the requirements established by the Security Standards Council.

In addition to following general good business practices, merchants are required by their acquiring banks to comply with the PCI requirements. Non-compliance fines and penalties can be very costly for those that do not report their successful compliance.  We encourage merchants to contact their acquiring bank for more information.

qsrbuzz™: ,What is the known ROI on maintaining PCI compliance standards?

As news outlets continue to share details about security breaches and improper data handling, consumers will increasingly make purchase decisions based on a merchant’s ability to guarantee secure transactions. Companies that communicate the strength of their security systems and identify the benefits of PCI compliance have the opportunity to find greater consumer loyalty. Organizations not compliant with the PCI DSS or those that do not communicate security strategies lose out on a significant opportunity to build strong customer relationships and ultimately increase profits. A data breach can have a devastating effect on a merchant’s reputation; lost sales because of lack of consumer confidence can often supersede the imposed penalties.

Consumers are no longer willing to be victims and they expect merchants to make changes accordingly. Instead of assuming a negative point of view, it is beneficial to use PCI compliance as an opportunity to not only secure your business, but also improve your relationship with customers.

qsrbuzz™:  What, if any, marketing and consumer goodwill can be obtained by such programs at restaurant companies?

Communicating the importance of secure card transactions and achieving PCI compliance illustrates your commitment to customers. The concern over identity theft and credit card fraud has heightened consumer awareness about the importance of data security. Utilizing PCI compliance as a way to build consumer confidence and loyalty can certainly give merchants an edge over those competitors that do not. Gaining trust through consumer goodwill is often one of the best ways to increase customer base and build brand integrity. Educating and informing customers of efforts to secure their transactions will only have a positive effect on a merchant’s business.

qsrbuzz™:  How can companies like yours assist in this process or enable compliance?

Maintaining security and managing PCI compliance has proven to be a serious challenge for restaurant operators. BHI Advanced Internet provides SecureConnect®, a fully managed Internet and network security solution that helps brands achieve compliance with the PCI DSS through an entirely customizable platform of services. Understanding both the time constraints and network complexities common in the restaurant industry, SecureConnect® has tailored its solution to provide all the necessary tools to achieve compliance with convenience and ease.

qsrbuzz™: Can you share with us some of your established clients? We provide customized solutions for numerous brands including Dairy Queen, Popeye’s, Culver’s, Taco John’s, McAlister’s Deli, Mr. Goodcents, Little Caesar’s, Smoothie King, Capriotti’s and more. 

Blake Huebner, director of information security, BHI Secure Connect®, has extensive experience with PCI Compliance, Information Security and Security Management. With a 10-year career in leadership roles, he joined BHI as the director of information security to provide information security leadership and enhance the security product portfolio. Previously, he was a PCI team lead and qualified security assessor (QSA, )and assisted organizations with security advisory services, PCI assessments and audits as well as security program development.

- - -

Enjoy reading this? Sign up for our bi-weekly e-mail newsfeed to stay connected.