PCI DSS compliance for restaurants: What you need to know

Put your article text here. Your links should always begin with /business/ unless they are an external link (outside of verizon.com/business). See example link below.

The United States is the largest fast-food consumer in the world, according to CEO World Magazine.  And with over 200,000 quick service restaurants (QSRs) in the US,  it’s estimated that about 37% (over 84 million adults) consume fast food every day.  Approximately 37% of QSR consumers use a debit card while 33% use a credit card to make those transactions, according to research data from PYMNTS. That’s approximately $1.4 trillion dollars in sales from eating and drinking establishments in the U.S. economy, per the National Restaurant Association. Layer-in the continued adoption of virtual cards, or digital versions of these physical credit or debit cards, which are mostly used for online transactions like online food delivery (a vastly growing market) and the sheer volume of credit and debit card transactions indicates why the Payment Card Industry Data Security Standard (PCI DSS) helps maintain not only trustworthiness with customers, it helps business protect against cyber related incidents.

What is PCI DSS

PCI DSS is a set of guidelines and requirements, introduced in 2004 (as updated, the “Standard”), as a global baseline data security standard designed to protect credit and debit card payments. The latest release can be found here.

PCI DSS is a standard that major payment card brands and credit card processing companies—such as Mastercard, Visa, American Express, and Discover—require merchants to follow as a prerequisite for accepting card payments. In businesses such as hotels, retail shops, and restaurants, the main purpose of the Standard is to secure sensitive data during the payment process—data that is a major target for external and internal threat actors—given that it's easy to exploit for financial gain.

Best Practices to secure your transactions and systems

According to another PYMNTS article, digital payment fraud increased in 2024 and while “efforts to combat fraud in routine digital payments have been successful, a new challenge has emerged in the form of social engineering scams,” which can manipulate individuals into authorizing fraudulent transactions. According to the 2024 DBIR the human element was a component of 68% of breaches reported.

Here’s what you need to know about the most important changes to PCI compliance for restaurants to help safeguard your business.

Anti-phishing requirements

To help combat fraudulent scams, requirement 5.4.1 of PCI DSS v4.0.1 takes aim at phishing attacks, in which threat actors impersonate legitimate users (such as an employee's business owner) in order to exfiltrate sensitive information.

As part of the new rules, businesses need to establish measures to detect phishing attacks, as well as train and educate their personnel against the risk of phishing attacks.

Restaurants can meet some of these anti-phishing requirements by deploying software designed to intercept malicious messages on email, text and other communication systems used by their employees. But since restaurant staff also often interact with the public in person, some restaurants may wish to invest in anti-phishing education programs designed to help staff detect attackers who may use social engineering tactics, such as posing as customers claiming to have been charged twice and asking to review payment records (which could contain other customers' card data) to confirm the mistake.

Access control changes that affect PCI compliance for restaurants

Allowing multiple staff members to access payment systems using a single, shared account may no longer be permissible. Instead, separate accounts for each employee should be established. Implement safeguards like least privilege, which restricts access rights to the bare minimum necessary for each user to perform their job. 

This can be found in PCI DSS Key Requirement 7, which includes updates that significantly enhance the user identity and access control protections of the PCI DSS standard. Under the new rules, Requirement 7 states that businesses must review all user accounts and their associated access permissions every six months. They must also ensure they actively manage access privileges in a way that mitigates risk.

Multi-factor authentication requirements

The authentication systems that employees and other users rely on to connect to payment systems must be stronger to meet PCI DSS 4.0 requirements. Multi-factor authentication (MFA) means users must satisfy multiple requirements, such as a password as well as a secret code sent to the user on their phone, in order to complete a login process. The overall authentication process for MFA, as described in the PCI Security Standards Council Multi-Factor Authentication supplement, requires at least two of the three authentication methods described in PCI DSS Requirement 8.2:

a) Something you know, such as a password or passphrase.

b) Something you have, such as a token device or smartcard.

c) Something you are, such as a biometric.

For restaurants, meeting the new MFA requirements means any devices used on the restaurant floor that can access the cardholder data environment (CDE) should be equipped with MFA access controls. Backend servers or applications that help to process payments will also need to meet the new MFA rules. Read more in Section 8 of the Standard.

Stronger data encryption rules

According to Restaurant Dive, “With point-of-sale systems being the most important technology for restaurants, it’s no coincidence that many POS companies are sprinting to adopt more capabilities in response.”

PCI DSS introduced a mandate (requirement 3.5.1 of PCI DSS v4.0.1) requiring businesses to protect payment card data using disk-level or partition-level encryption. For example, if a QSR uses any device that can accept payments from customers, those devices would need to be capable of encrypting payment data. The same rule would apply to any payment kiosks or in-restaurant servers that store payment data.

For restaurants, this means that any device on which payment data is stored, even if only temporarily, must support advanced encryption features. and network and cloud security practices.

Enhanced network security

The new version of PCI DSS also strengthens the network security requirements that restaurants and other organizations must meet in order to process credit card payments. Requirement 4.2.1 mandates that businesses' network certificates (which enable secure connections and authenticate the validity of remote devices) are valid and up to date. This change helps prevent attackers from impersonating legitimate parties in order to intercept card payment data.

While this requirement doesn't necessarily require restaurants to install additional network security hardware, it does mean that any devices through which payment data passes are capable of validating network certificates. To help work towards compliance, businesses should make sure their device operating systems are up-to-date, a goal they can meet by establishing regular update cycles.

Rapid response to security failures

Given that restaurant businesses often operate multiple sites without having cybersecurity staff on hand at each location, the new rapid-response requirements will require restaurants to double-down on security monitoring solutions that may identify cyber risks and make recommendations to help mitigate cybersecurity risk without requiring security experts to travel on-site to respond to restaurant PCI DSS compliance risks.

Key Requirement 10 of PCI DSS 4.0 introduces rules that require businesses to detect and respond promptly to the failure of any of the security controls they have in place. Within the PCI DSS v4.0, the term "Promptly" is defined as "As soon as reasonably possible."

The goal is to help organizations find and mitigate security threats to payment systems as rapidly as possible, rather than waiting until their next audit to catch problems.

Next steps for restaurant PCI security compliance

Restaurant PCI compliance has received a major overhaul thanks to the PCI DSS v4.0 and v4.0.1, the latest versions of the set of compliance requirements that apply to most businesses that transmit, store or process payment card data. PCI DSS version 4.0 was a major update that went into effect in 2024 which had important ramifications for the cybersecurity and compliance strategies of QSRs.

From tighter identity management rules to MFA requirements to stronger network security and beyond, the updated version of PCI DSS introduces a variety of new mandates and updates that require attention from hospitality organizations, restaurants and other businesses.

Need help? Learn more about Verizon's PCI security assessments here.

Security and compliance teams can also download the 2023 Payment Security Report insights white paper on the value of advanced PCI security program management design and the 2024 Payment Security Report for information on essential PCI security program measurements, metrics and performance evaluation to improve security and compliance outcomes.