> I'm quite sure there are many many databases around with no
> encryption of CC
> details.
> Not sure what info you have on "Visa/Mastercard regulations dictate"..
> do you have a link?
> They can't make it illegal not too.. they only have your best efforts to
> request of you. If you provide good protection for the database as a whole
> this may be sufficient. But I'm not sure why a restaurant would
> need to keep
> CC details on record.. they should only use them and get rid of them....
> Alan
>

http://usa.visa.com/media/business/cisp/Level_3_Merchant_Compliance_Question
naire.pdf

http://usa.visa.com/business/merchants/cisp_index.html


Yes, there are POS software vendors that do not encrypt CC data. As a
matter of fact, I know of one in particular (a competitor) that did not
encrypt CC data. One of the restaurant's employees got into the database,
extracted credit card numbers and went on a spending spree. Well, the guy
is doing time as we speak. Unfortunately, AmEx also went after the POS
software vendor as well and the suit is still on-going last I heard.

You're correct, normally restaurants DO NOT need to retain credit card info.
Just need to keep it long enough to perform a post authorization of a
previously pre-authorized transaction with tip, if any.

However, we've recently entered the Resort/Hotel market with our new
Micros/Fidelio standard interface and the hotels want to have access to the
credit card numbers for auditing purposes. Even then, they are only kept in
the database for 90 days and deleted during that day's current End of Day
procedures. Also, some restaurants also need to retain cc data for a short
period such as restaurants that perform catering services.

Cheers,

Lee