As more customers pay with credit cards, restaurant owner/operators will face tighter scrutiny – and higher costs each year.
Ownership entities that have more than 1 million credit card transactions a year must comply with the Payment Card Industry Data Security Standard (PCI DDS) that, among other things, requires an annual audit. The purpose of the audit is to ensure that proper security measures are taken to protect customers from fraud.
First Data or the owner/operator’s credit card company will notify the business if it has hit the 1 million transaction mark and is required to do the annual PCI compliance audit. The compliance standards pertain to all major credit card companies, such as Visa MasterCard, AMEX, Discover, etc.
Since this benchmark is determined by entity, an entity with 10 stores, for example, will most likely qualify and be subject to the auditing process.
An audit generally takes about two and a half months and can cost anywhere between $7,000 and $10,000 per audit.
For new customers, the audit company may require a 50 percent down payment before beginning the process. Existing customers, though, will typically pay the audit fees once it is completed.
The scope of the audit includes validating and confirming that the taxpayer is using the best security practices to prevent any form of a data breach when conducting their cashless transactions.
The compliance audits typically are conducted by a third-party auditor. McDonald’s recommends owner/operators use Trustwave’s PCI Compliance Services
Owners can use an internal auditor, an in-house employee, but that could be even more costly and risky. Business owners have to ensure that the internal auditor has attended all the PCI SSC ISA training and has passed the associated accreditation program annually. This requires the internal auditor to pass an exam. If this person does not pass, he or she will be required to take the class and the test again. The cost for this process is around $5,000.
Therefore, it is advisable to use a third-party auditor, like Trustwave. Once the audit is complete, the auditor will be responsible for getting all the required documents to the credit card company.
The notification letter from First Data and/or the credit card company will provide a due date for completion of the audit. Failure to complete the audit can result in steep penalties. The penalties can accumulate starting at $5,000 a month for noncompliance to $50,000. The penalties can climb as high as $200,000 for failure to comply year after year.
Be on the lookout for the notification about the PCI compliance and make sure you have handled everything properly to prevent costly penalties.
As always, if you have any questions, please let us know.