Why Restaurants Need PCI Compliance as a Service

PCI Compliance as a Service offerings enable VARs and MSPs to help restaurants secure payment data and operate compliantly without burdening in-house IT staff.

PCI Compliance

Payment Card Industry (PCI) compliance is vital to ensure data security at any business accepting digital payments. Compliance as a Service offerings from value-added resellers (VARs) and managed services providers (MSPs) help merchants meet  PCI Data Security Standard (PCI DSS) by:

  • Building and maintaining a secure network
  • Protecting cardholder data
  • Maintaining a vulnerability management program
  • Implementing strong access control
  • Regularly monitoring and testing the network
  • Maintaining an information security policy

Your restaurant clients typically don’t have in-house resources to address and manage every standard, creating a demand for your services. Moreover, the need is even greater after the sweeping changes in the industry that have occurred in the past three years.

DeWayne Mangan, senior vice president of technology operations at Acumera, a managed network service provider, comments, “Restaurants have been forced headfirst into the world of IoT.” He says their IT environments have grown to include mobile order tablets, live menu boards, live drive-thru menus, online ordering, guest Wi-Fi, trivia night, pay-at-the-table, portable payment devices for servers, and more.

“It complicates their network setup. In addition, these devices frequently come with little technical information, no vendor hardening guides, and no management capabilities for the merchant,” Mangan says.

Challenges that PCI Compliance as a Service Can Solve

Mangan points out that restaurants often face challenges when working toward PCI compliance. “Based on our observations, network segmentation is almost nonexistent in the restaurant industry,” he says.

“Also, access control is challenging. The manager’s office is often used for equipment racks, storage, cash storage, paperwork – and, occasionally, there’s enough room for the manager to work there as well,” he remarks. “Without dedicated store IT personnel, the manager-on-duty is expected to also serve as remote IT support, meaning equipment is frequently left unsecured, or keys are left hanging in racks, so anyone on-site can access it.”

“There’s lots of security theater to be found in how IT equipment is secured even at sites that have dedicated, locked spaces,” Mangan says.

He adds, “Overall, IT staffs are overburdened and frequently have to choose between ‘making it work,’ i.e., keeping revenues coming in, and making it secure.”

How Your PCI Compliance as a Service Offering
Can Help Can Benefit Restaurant Businesses

VARs and MSPs have the opportunity to provide PCI compliance services that restaurants need – and build project and recurring revenue for your business.

You can leverage your expertise to build or update systems that comply with PCI DSS. For example, your team can install and maintain a firewall and antivirus, enable payment data encryption, and deploy an access control solution. Additionally, you can provide ongoing services, such as network monitoring and testing and updating an information security policy for employees and any third-party contractors with access to the restaurant’s network. You can also design your PCI Compliance and a Service offering to make annual reporting easier and help your clients avoid fines and penalties – which can include a restaurant losing its ability to accept digital payments.

Your ongoing services can eliminate a considerable burden for a restaurant’s in-house IT staff. In addition, that value will help you retain customers, adding to predictable monthly revenue for your business.

PCI Compliance as a Service solution vendors can provide you with tools specifically designed for restaurant compliance and security, including vulnerability scanning, monitoring and assessment tools. Vendors will also offer you and your clients the technical support you need.

To become a total restaurant solutions provider, you must meet your clients’ needs with PCI Compliance as a Service. Assess your market and weigh your options for growing your business with this new revenue stream.