Protect Against, Identify & Resolve Weaknesses in Your Payment Card Environment

Credit card information…it’s the hidden treasure that cyber criminals are constantly trying to steal from restaurant and retail operators that process, transmit or store this information for consumers.  Ultimately, restaurant and retail operators are responsible for the protection of credit card information.


As part of the Payment Card Industry Data Security Standard, restaurant and retail operators are required to maintain a vulnerability management program for their payment card environment, which in plain English means protecting against, identifying and resolving any weaknesses in the network or payment card environment that could allow criminals access to payment card information.


Creating and maintaining a vulnerability management program:


Requirement #5 of the PCI DSS specifically states that a restaurant or retail operator implement, use and regularly update anti-virus software or programs. Traditional anti-virus programs work via a blacklist approach by preventing, detecting and removing known malicious software designed to infiltrate a computer system, commonly called malware. The reverse of this approach, whitelisting, allows an operator to identify a catalog of all known good applications that are safe to run on a system and prevents any programs not on the list from running.  Both approaches can be used to fulfill Requirement #5.


 The PCI-DSS requires that restaurants and retail operators have anti-virus installed on all computers in the payment card environment, which includes the POS terminals. Whitelisting, an acceptable alternative to anti-virus programs, is a great option for use on a POS terminal, because it takes up a small amount of memory.  It is also well suited for environments where the software and programs being run do not change often, because this will lower the maintenance requirements for the whitelisting application.


 Bottom line, restaurant and retail operators need to ensure they are protecting both their servers and POS terminals. For those environments where POS terminals are not used as the payment application server, whitelisting is a technology worth investigating to ease the impact that security requirements have on your operations.


For additional data security information, visit or