Are ‘Knuckle Busters’ PCI Compliant?

Question:

I run a restaurant business and have a question regarding “manual credit card processing.” In the event my cc system (POS) goes down, how can I process credit cards without taking a manual imprint of the card?

‍

Answer:

‍
I’m guessing your question comes from the recent news stories surrounding the P.F. Chang’s data breach, where the well-known restaurant chain opted to use manual card-swipe devices (a.k.a., “knuckle busters”) to process customers’ credit cards until they could complete a forensics investigation.

‍

Rest assured, however, that there are other non-manual processing methods your business could employ should your POS system go down. You might, for example, keep a backup Square device or other mobile-enabled processing method at your disposal.

‍

If you’re asking whether you can fall back on a “knuckle buster” device and still be PCI compliant, the answer is basically the same either way: When accepting credit card payments you have to comply with all of the PCI Data Security Standard (DSS) requirements. If you make an imprint of the card for business purposes, then you must secure that in accordance with the DSS’s physical security rules, which are found in Requirement 9, “Restrict Physical Access to Cardholder Data.”

‍

Contact the VikingCloud team for more information about ensuring your organization stays PCI compliant.

‍