Passenger Trains > Is Amtrak PCI Compliant?

PCI (Personal Credit Information) compliance are required by banks for most businesses that take credit cards. For the company to take credit cards they must have security set up to prevent theft of card information. Most of this security is around the type of servers, firewalls, networks, and procedures that are set up and the banking industry has auditors to ensure this safe-guard.

When I pay for a meal on a train the server takes my credit card and processes the bill. Because I see employees with their cell phones out I wonder if this is something allowed by Amtrak as it would be very easy for someone to take a picture of my credit card and use it or sell the information.

Does anyone know if Amtrak went though this audit procedure particularly on board the trains?

amtrakbill Wrote:
-------------------------------------------------------
> PCI (Personal Credit Information) compliance are
> required by banks for most businesses that take
> credit cards. For the company to take credit
> cards they must have security set up to prevent
> theft of card information. Most of this security
> is around the type of servers, firewalls,
> networks, and procedures that are set up and the
> banking industry has auditors to ensure this
> safe-guard.
>
> When I pay for a meal on a train the server takes
> my credit card and processes the bill. Because I
> see employees with their cell phones out I wonder
> if this is something allowed by Amtrak as it would
> be very easy for someone to take a picture of my
> credit card and use it or sell the information.
>
> Does anyone know if Amtrak went though this audit
> procedure particularly on board the trains?

First, a correction. PCI stands for Payment Card Industry.

Yes, Amtrak would be PCI compliant as would be required by the bank(s) that Amtrak uses.

I thought as part of the PCI standards a person taking a credit card should not have their smart phone out to prevent taking pictures of the card?

Why not use the cc machines as is common in Canada. Customer puts their card into the machine at the table. Zero chance of fraud.

amtrakbill Wrote:
-------------------------------------------------------
> I thought as part of the PCI standards a person
> taking a credit card should not have their smart
> phone out to prevent taking pictures of the card?

In that same thought,

• Merchants should be required to create a walled off booth to protect some one when they go to enter their PIN number.
• Restaurants should be prohibited from have you the customer give your credit card to the server to take it to run it.
• Gas stations should be prohibited from having you give your card to the attendant who then runs the card.
• Airline stewardess should be prohibited from asking you for your card to run to pay for your in flight drinks.

Get the picture?

PCI standards deal with the moment/point of capture and beyond.



Edited 1 time(s). Last edit at 01/18/18 08:37 by jst3751.

I am impressed when I go to Canada where I do the restaurant bill all by myself with their little cc gadget, none of this having the waiter "take it in back" and return.

They also have a different debit card system than we do, called Interac. I think our debit cards are only good as ATM cards there, though I never use a debit card as such here.

andersonb109 Wrote:
-------------------------------------------------------
> Why not use the cc machines as is common in
> Canada. Customer puts their card into the machine
> at the table. Zero chance of fraud.

The US credit card companies are a decade behind on this type of technology....handheld terminals have been standard in European restaurants since the late 2000s.

Dave

From my work with PCI compliance I do not recall any issues regarding employees cell phones and credit processing. A photo would not gain anything that a quick note with pen and paper could provide. Those new tiny credit card readers which can be used to read cards and process payments over the cell phone network are a problem.

The main compliance is with the data once the card is scanned and transmitted. Common protections include encrypting all data end to end, using "vlans" (virtual local networks) to prevent access by other machines on the network, and blocking snooping devices. It has since added "trusted devices" which require staff intervention to replace on a network and authorization from a central location for these devices to work. PCI compliance is not mandatory, but non-compliance will result in much higher transaction fees and responsibility for most all fraud expenses. Another concern is retention of card data which is very specifically limited for accounting purposes, and retention/encryption of data for offline transactions - when credit processing is not available and offline approval and storage must be done.

My trips with Amtrak only involved AmCafe purchases and they were processed by a specific device connecting to a cellular network it appeared.

I am so very happy I no longer have to deal with credit card data protections. It is a huge headache.

Michael



Edited 1 time(s). Last edit at 01/18/18 11:05 by emd_mrs1.

emd_mrs1 Wrote:
-------------------------------------------------------
> PCI
> compliance is not mandatory, but non-compliance
> will result in much higher transaction fees and
> responsibility for most all fraud expenses.

PCI compliance may not be mandatory by each and every bank, but all the ones I know of directly all require PCI compliance to be their customer.