Contact Us

PCI Compliance for Restaurants

pci compliance for restaurants

You keep a clean kitchen – how about your security posture?

You go into a restaurant, and, at least in California, the first thing you notice is the green ‘PASS’ in the window.  What does this imply?  That the restaurant has proper hygiene… that their kitchen is clean, their staff is trained in sanitary practices, and that if you order lamb from the menu, you actually get lamb, and not some mystery meat. 



Although I don't have all the information behind the restaurant scoring system, it's my understanding that the Health Inspector will calculate a score based on the violations observed, and provide a more detailed report to leadership on what areas need attention.  The inspections are routine with follow-ups as needed.  The same must apply for the restaurant’s cybersecurity posture if you want to avoid an upset stomach caused by a credit card breach, or if the owner doesn’t want his or her backend systems compromised, it's important to understand what areas of your backend payment systems need attention, that's why PCI audits take place. 

We all admit that this is a difficult time for many restaurant chains and individual proprietors.  Changing eating habits, delivery services, healthcare and staffing costs, the cost of raw goods and utilities, etc. etc.  But restaurants can’t cut back in securing their IT infrastructures in an environment where the number of breaches has gone up by 40% since 2016, and where the cost of the typical breach costs $50K or more.  A chain will probably survive, but an independent?  Who knows?  Unfortunately, according to Hospitality Technology’s 2017 Restaurant Technology Study, only 38% of restaurants have technology as a strategic priority.

PCI compliance or even EMV and P2PE are where the business in question has the processes in place to protect customer financial data.  The real problem is the PCI audit itself, every 3 or 6 months.   A hacker can set their eye on the company the day after the audit complete, potentially unidentified until the next audit.  And this is if the audit passes.  Many fail one or more audits, and according to a recent Verizon report, this group is 100% likely to be breached in the ensuing 12 months.  In fact, restaurants are many times less secure than the typical enterprise, in that their Linux, Windows, Android, and iOS POS terminals are in less secure environments.  These terminals are 40x more liable to either hardware or software compromise than the typical enterprise, and 90% of restaurant breaches are POS-driven.

We’ve seen this time and time again, and chances are you’ve had your own cards compromised one or more times.  How can we reverse this trend?  As the old saying goes, security is not a destination, but it is a continual journey.  If focused on PCI, you need to continually reassess your cybersecurity posture, either in your own IT environment or if you use public cloud services.  There are frameworks that outline best practices, and solutions that offer automated assessments.  They may not cause you to immediately pass PCI but will quickly identify your breach potential.  At the same time, other frameworks like ISO, SOC2, GDPR, NIST, and others will better ensure your cybersecurity posture.

In closing, though we’ve focused on restaurants, many of the same concerns apply to other hospitality verticals – casinos and gaming, hotels and resorts, cruise ships, and even traditional retail. 


© 2019 Cavirin Systems, Inc. All rights reserved.