2020 PCI Attestation of Compliance

Attached below you will find our signed 2020 PCI Attestation of Compliance (AOC). 


Olo PCI Compliance Overview

What is PCI Compliance?

PCI Compliance refers to the Payment Card Industry Data Security Standard (PCI DSS) designed to protect cardholder data. Every company that accepts credit card payments must be PCI compliant.  

What do I need to know about PCI Compliance with Olo?

Olo is PCI Compliant, which means our white-label ordering platforms (web, mobile, apps) are PCI Compliant. This matrix outlines PCI responsibilities for Olo and restaurant brands. This covers all of our customers, not just those building a custom application on the Olo API. 

Brands that build custom applications on the Olo API are responsible for ensuring it is PCI compliant. We are not qualified to advise any third-party on PCI scope. If a brand is looking to assess their PCI scope, we suggest working with a PCI Qualified Security Assessor (QSA).

Ensuring your Ordering API project is PCI compliant

Olo is not in the position to advise third parties on how to address PCI compliance. The third-party and the brand hold this responsibility. In the past, we have seen other partners use these approaches successfully:

  • A third-party agency can become PCI compliant if they are not already.
  • Third-party can outsource credit card payment data to a PCI compliant third party.
    • There are vendors that offer solutions to capture cardholder data and pass that information to the Olo API on behalf of the brand. 
    • If a brand chooses to work with a third-party vendor, the front-end developer, and the third-party need to work together to ensure that the final basket submission is completed via the Order Submission API endpoint, with full payment data from the customer (not a token).
Olo's Position on Alcohol Sales

Audience

Brand Managers, Marketing Leaders

Description

Due at least in part to current events, including temporary restrictions on in-store dining, many of Olo’s customers have expressed an interest in selling alcohol to their guests for pickup or delivery via ordering sites. We want to do everything we can to help our customers fulfill the demands of their guests, especially given the unusual circumstances facing restaurants today. With that in mind, we have reviewed this particular need and would like to share with you the specific limitations we have instituted relating to the sale of alcohol via Olo. 

Solution

You will be responsible for ensuring compliance with all state or local laws and similar requirements, including but not limited to those related to the verification of a guest’s age or other determinations necessary to confirm the guest can legally purchase alcohol. To the extent alcohol is ordered through Olo’s platform in any of these circumstances, Olo takes no responsibility for ensuring compliance with state or local laws or requirements including determination of the age of the end-user and will rely on the assumption that you are taking the necessary steps to comply with the law. You may offer alcohol via Olo ordering in the following scenarios only:

  • Pickup - this is defined as an order that is placed directly via your website or app and is picked up by the guest at your establishment counter. 
  • Drive-Thru - this is defined as an order that is placed directly via your website or app and is picked up by the guest via your drive-thru. 
  • Curbside - this is defined as an order that is placed directly via your website or app and is picked up by the guest on the premises of your establishment but at the curb. 
  • Self-Delivery - this is defined as an order that is placed directly via your website or app and is delivered by a member of your staff or company-owned fleet to the guest.  
  • Rails - this is defined as an order placed on a marketplace using the Olo Rails integration.

 

Important Note Regarding Dispatch

Not permitted at this time is any ordering of alcohol that would be delivered by a 3rd party partner to a guest via Dispatch. This means that Dispatch Service Providers may not pick up orders and deliver them to guests at this time. Olo has implemented functionality to prevent users from submitting an alcohol order via Dispatch. The user will receive an error if they attempt to submit a basket that contains at least one item that contains the 'alcohol' tag, and have delivery (Dispatch) selected as their handoff mode.

The logic is as follows:

  • Has 'Delivery' selected as a handoff mode
  • And uses Dispatch
  • And contains at least one item that has the 'alcohol' tag

We are continuing to review needs and opportunities relating to the sale of alcohol by third-party delivery providers. We will keep you updated as we review these opportunities and will notify you if our policies change. If you need further clarification on this topic, please reach out to your CSM.

 

Steps

  1. Determine all legal requirements related to sale and delivery of alcohol and implement the necessary processes accordingly.

  2. Please review this article to configure products to be available on your site by appropriate handoff modes and follow the steps.

 

Olo Terms for Partners

 

Introduction

Please refer to the below definitions for key Olo terminology to help familiarize your teams with our platform and tools. You can find a PDF version of this article attached. 

 

Admin

  • Olo’s backend system where we enter store data, brand information, and settings.

Basket Test

  • Validation test for POS integrated menu items.
  • Available in Dashboard for customers to access or in Admin.
  • It does not send the order to the store, performs a simple validation.
  • For more information, please visit the Help Center.

Channel

  • Olo’s internal term for the restaurant brand that gets created in Admin. Each brand has a channel with settings that impact all stores. Within each channel, there’s a company, and within each company, lives the brand's specific store locations. 

Customer Success Manager (CSM)

  • A member of our Customer Success team who handles the direct relationship between Olo and each restaurant brand. Every restaurant brand works closely with their CSM on new projects and integrations.

Dashboard

  • The central tool used by restaurant brands and stores to manage their online ordering and delivery programs.
  • Website: https://my.olo.com.
  • For more information, please visit the Help Center.

Deployment Customer

  • A restaurant brand who has not fully completed the Olo onboarding process. 

Deployment Team

  • Part of our Customer Success team. This team manages the entire deployment process for restaurant brands from contract signing until 80% of their stores have gone live on the Olo platform. Once the 80% threshold is reached, they are introduced to their Customer Success Manager who handles the relationship from that point forward.  

Dispatch

  • Olo’s white-label delivery product allowing brands to enable third-party delivery through their branded site and app. Dispatch leverages multiple Delivery Service Providers (DSPs) to complete orders. Read more about Dispatch here.

Delivery Service Provider (DSP)

  • A partner company that handles the process of transporting a restaurant’s order from the store location to the end customer via Dispatch or through third-party marketplaces via Rails.

External Reference ID 

  • A customer-generated identifier used to distinguish different locations. 

Order Mode

  • A designation for orders in the POS. i.e. Olo sends a different order type through to the POS if the order is pickup vs delivery. This allows brands to have different rules for these orders (eg. pickup orders go to counter 2, delivery orders go to counter 4). This helps with reporting and reconciling and makes it easier for them to logically break up orders in their POS reports.

Handoff Mode

  • This refers to how the customer can receive their order. Handoff modes can be Pick Up, Dine In, Carry Out, Delivery, Dispatch, Drive-Thru, etc. 

Maintenance Customer

  • A customer that has successfully deployed 80% of their online ordering program.

Mealtime

  • Mealtime refers to the standard online ordering “to go” website. This differs from other types of sites we can support such as catering, Switchboard, and kiosk. 

Menu Admin

  • Website: https://my.olo.com/menuadmin/
  • A section on Dashboard where menus are built and maintained. Only certain users have access to this tool.
  • The Company Menu controls the menu at the Company Level. There is also a Store level menu where specific categories and menu items can be controlled at the Store level. 
  • For more information, please see our menu articles on the Help Center

Merchant Account

  • The account used by stores to accept credit cards.

Metadata

  • Used in Menu Admin to alter the Olo UI’s and/or to send custom data to a 3rd party. See this article for an example of how metadata can impact the Olo UI.

MIM (Menu Image Management)

  • The Menu Image Management tool on the Dashboard that enables brands to upload product and category images from Dashboard directly to their site.

Modifiers

  • Terminology for the menu options/choices that live within a product. For example, a modifier for a hamburger item may be “Add Ketchup”.
  • All modifiers are a part of a modifier group.
  • Modifier groups can be shared across multiple items.

Nesting

  • The concept of modifiers living underneath modifiers. For example, if someone orders a sandwich, they may have the option to select their protein (e.g. Choose Protein: Chicken, Steak, Carnitas). If they select “Steak” as an option, they may be prompted with a required modifier group that asks what temperature they’d like their meat cooked at. This would only appear/be required if the customer selected Steak. 
  • Olo allows an unlimited amount of nesting so there could be multiple levels underneath certain modifier choices. 

Point of Sale (POS)

  • Traditional POS
    • These are POS systems that are installed in the restaurant typically on a Windows PC acting as the back of house POS server.  Example POSs are Aloha, MICROS (3700), MICROS 9700, Simphony 2 (Standard and Premium), PAR PixelPoint, POSitouch, Xpient (Iris), Focus POS, MicroSale, RPOS, etc.  These types of POS systems must have an Olo “agent” installed on a PC in the restaurant to use Olo.
  • Cloud POS
    • These are POS systems that reside in the Cloud and the restaurant connects their in-store POS terminals to this cloud-based POS.  Example POSs are PAR Brink, Revel, Toast, CBS Northstar, PDQ, NCR Silver/Silver Pro, and any OloCloud integration. The types of POS systems typically have some sort of vendor configuration value that determines which Olo vendor communications with which POS system.  There is no Olo agent installation required for these POS systems.

Public Store

  • A restaurant location that is live and on a brand’s site or app.

Prepaid 

  • Payment is collected outside of Olo (ie: Rails partners, Kiosks, are the main examples.) This differs from credit card payment where Olo passes credit card information to the Payment Processor for processing. 

Private Store

  • A store that is not searchable on a brand’s white-label site or app. The only way someone can access a Private store is if they have access to the store-specific URL. Stores are in Private mode before they are set Public. 
  • Demo vendors are frequently set to Private as well.

Rails

  • Olo’s software product that allows restaurant customers to place orders through marketplace sites like DoorDash, Postmates, and Caviar. Orders placed flow directly through to the restaurant POS system via Olo’s API. For more info, please visit Olo.com/help.

Specialist 

  • A member of the Olo Customer Success Team; specialist focuses on specific Olo products and integrations and helps our customers implement these settings on top of their ordering platform.

Switchboard

  • Olo’s product that processes orders originating from a restaurant’s call center. For more information, visit the Help Center.

 Technical Specialist - POS 

  • Previously known as TAM. Part of the Customer Success team, TAM is an expert for one or multiple POS systems. A TAM works directly with customers to set up their POS, troubleshoot issues, etc.  This team is now the POS Team (Technical Specialist - POS).

Throttling

  • Every order has a make time associated with it depending on the "Total Make Time" strategy and the items in the customer's cart. Our throttling mechanism evaluates the total make-time of all orders in a 15-minute period and allows restaurants to cap the total number of make time minutes for all orders. 
  • When a customer attempts to place an order during a time when the kitchen cannot support more orders, they are ‘throttled’ into the next available time slot.
  • For more information, please see here

Vendor

  • Also known as a Location or a Store. A vendor is a legacy term used internally by the Olo term. Within Admin (backend) we refer to stores as vendors. 

Vendor ID 

  • A number that is generated and unique to each vendor within the Olo platform. It cannot be adjusted and is considered the "master" reference in our API.

 

 

Olo's W-9

Please click here to download Olo's W-9.

Skip the Line® Trademark Usage Guide

These guidelines are for Olo customers and partners wishing to use “Skip The Line®” in promotional, advertising, or instructional materials, websites, apps, packaging, labels, and products. This mark is reserved for use exclusively by our customers and partners as indicated in Olo’s service agreement.

Brands wishing to utilize this mark should follow these guidelines:

  • Use of “Skip the Line” must include the registered trademark symbol (®) to the right adjacent to the words or artwork when SKIP THE LINE is used in association with mobile ordering software and mobile apps. In other instances, use should include the symbol TM, meaning the trademark is not yet registered for use in that context.

  • Use the trademark as a tagline or an adjective, and not as a command within a sentence. Always avoid use of the mark in a descriptive manner.

  • While there are no specific size or display guidelines, the registered mark must be at clear visible size in print or digital display.

  • No footer or attribution beyond the reserved symbol is required.

Correct                                        

Incorrect

SKIP THE LINE® mobile app  

We can help you SKIP THE LINE

Skip the Line®  

Order online with our app and
have 
your meal ready when you arrive      

Skip the Line and save time
                  OR
Save some time, Skip the Line   

SKIP THE LINE®
Download our mobile ordering app

SKIP THE LINE® with our mobile app

SKIP THE LINE™ delivery services

Skip the line delivery services   

Skip the Line™
Order Online

Skip the line™ and order online

 

Understanding the Ordering Process

Below is a high level look at a typical online order flow and the parties involved to complete the process. The goal of this diagram is to help better understand who is responsible for each part of completing an order. 

Included are several common questions and who to contact to resolve them. In some cases there is more than one step to solving the issue. If you are still stuck please open a Help Center ticket and somebody will be able to assist you further.

A PDF of this information can be found at the bottom of the article.

 

Webhooks Overview

Introduction

Webhooks (also known as a web callback or HTTP push API) allow external applications to receive information about events that have occurred within the Olo platform. Partners that utilize webhooks gain an efficient way to take action based on events without needing to query Olo's systems for changes. Typical use cases may include keeping internal systems in sync with Olo, responding to issues or outages, monitoring trends, or maintaining mailing lists.

 

How does this work with Olo?

Webhooks allow third parties to subscribe to certain events that occur in Olo’s system by providing an HTTPS endpoint that Olo will deliver event details via HTTP POST. For the recipient, webhooks are a way to receive valuable information when it happens.

 

Types of webhooks & how to sign up

For details on webhook types supported and more information on setting up webhooks please contact us via the Help Center. It is important to note before connections can be established, the customer (brand) must authorize the request. Olo can then provide access to the Developer Portal to review documentation, and the customer can activate the requested webhooks.

Preparing for new PCI TLS 1.2 security standards

On July 1, 2018, the PCI Data Security Standard (PCI DSS) for safe processing of payment data will not allow the TLS 1.0 protocol, which is no longer considered secure, and will no longer meet PCI DSS requirements for ‘strong cryptography’. There are many vulnerabilities in SSL/early TLS that can put your organization at risk of being breached. Below are several FAQs to help explain how this may impact your brand. Additional details can be found here as well.

 

What does this change mean for your Olo POS integration?

As part of your online ordering solution, Olo installs a “POS agent” service on your in-store Point of Sale (POS) server in order to communicate with Olo servers for order transmission and the synchronization of certain menu information.

Ahead of the PCI DSS deadline, Olo is providing free TLS 1.2 security protocol upgrade versions for all Olo in-store POS agents. The in-store POS integration software has been upgraded with several enhancements to help maintain your POS integrated digital ordering solution, including improved reconnection and version checking logic, better metrics collection, and smoother error handling.

Moving forward, new feature development will continue only for these updated, secure POS agents. Olo will maintain connectivity support for older agents already installed at store locations but highly recommends that these agents be replaced with the updated versions as soon as possible. New PCI security assessments are likely to require the disabling of TLS 1.0, which would disable older Olo agent communications.  

New POS agent versions have been thoroughly tested and are backward compatible with all features and configurations. Upgrading can be done quickly and easily using the Olo dashboard, and once set to a new version, stores can upgrade automatically typically in a few minutes.

Beyond this specific upgrade, Olo works constantly to improve our POS agents for all system integrations, and we recommend checking the Olo Dashboard periodically to make sure your stores are kept updated with free updates to the latest Olo versions marked for General Release.


Will the new Olo POS agent versions run in any in-store environment?

Some operating system requirements may apply. These more secure in-store POS agents will require the .NET framework version 4.5.2 or higher (.NET 4.6 or higher recommended).  The TLS 1.2 secure agents will not run properly on the Windows XP operating system. Olo highly recommends that any Windows XP environments be replaced as soon as possible for the security of your in-store environment.  

Do I have to upgrade my stores?

Olo POS agents upgrades are optional. While Olo highly recommends that you do, for both security and stability benefits as well as gaining the benefits of any new feature development, but Olo does not require that you take this action. Ultimately it is at the discretion of your organization and the PCI DSS requirements you intend to observe. The new agent is however required if you plan to disable TLS 1.0 for all outbound traffic at the OS level. You may upgrade these at your discretion using these steps.


Does the Olo agent transmit or store cardholder data?

No, most QSAs consider the Olo agent to be out of scope for both PCI-DSS and PA-DSS, as it does not store, process or transmit cardholder data. However, the agent is typically installed on a computer that falls within PCI scope. As such, it is subject to any computer-wide restrictions that have been enforced - for example, if early SSL/TLS versions are disabled in the registry.

Is upgrading my Olo POS agent required for PCI compliance?

Not necessarily. The Olo POS agent does not store, process, or transmit cardholder data, and most QSAs, therefore, consider the Olo agent to be out of scope for both PCI-DSS and PA-DSS.

However, if TLS 1.0 is disabled at the Operating System level for the in-store environment, and you have an older Olo POS agent installed that relies on TLS 1.0, it will break your Olo integration. The store will go offline until an updated POS agent is installed.

It's highly recommended you upgrade the Olo agent before TLS 1.0 is disabled so that the auto-upgrade can be set from the Olo Dashboard. After TLS 1.0 is disabled, the upgrade will have to be done manually.


Does upgrading my Olo POS agent make my POS in-store environment PCI compliant?

Olo cannot certify your PCI compliance status. The overall status of your in-store PCI compliance must be reviewed by a Qualified Security Assessor (QSA). The upgraded security of the Olo POS agent installed in-store is ultimately a small piece of your overall data security puzzle.


What is SSL/early TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008.

*Reference article

Configuring Custom Domains

Follow the instructions below to create a sub-domain of your existing website URL to host your Olo online ordering site.

Instructions:

  1. Desktop: Ask your webmaster to CNAME the subdomain order.[brandname].com to whitelabel.olo.com. If you are not using “order” as the subdomain, CNAME whichever
    sub-domain you will be using.

    Ex. order.crazychicken.com, ordernow.burritopalace.com, get.deliciousfood.com

  2. Mobile: Ask your webmaster to CNAME the subdomain mobileorder.[brandname].com to brands.olowhitelabel.net. If you are not using “mobileorder” as the subdomain, CNAME whichever sub-domain you will be using.

    Ex. mobileorder.crazychicken.com, mobileorder.burritopalace.com, mobileorder.deliciousfood.com
  3. Once the CNAME has been setup you will need to provide your Olo deployment manager or customer success manager with the URL that should be used and confirm when the CNAME has been setup on their side.

Notes:

  • Do not change the word “whitelabel” to the brand name. The CNAME must be whitelabel.olo.com.

  • For the mobile setup: Do not chang the word brands to the brandname. The CNAME must be brands.olowhitelabel.net.
  • It may take up to 24 hours for CNAME changes to take effect. Once the CNAME is set up correctly, visiting the subdomain will direct you to parked.olo.com. This means you are correctly pointing to an Olo URL.

  • A Canonical Name record (or CNAME) is a type of resource record in the Domain Name System (DNS) used to specify that a domain name is an alias for another domain (the 'canonical' domain).
Setup Tracking for Apps on Facebook

Overview

Our mobile apps are now integrated with Facebook App Ads installs. This is a valuable tool to help brands connect with people who are more likely to install, and frequently use, your mobile app. These ads can be shown across Facebook, Instagram and Audience Network and will help brands track who's downloading their apps. This information can provide actionable insights about your customers such as their age, gender, location, and device preference.

NOTE: This integration cannot track in-app purchases. Facebook only tracks virtual in-app purchases, not physical purchases — and Olo products are considered physical purchases. 



 

Facebook App Ad Examples


To set this up, you will need to configure your app in Facebook’s testing environment. If you were running ads before, you can now track them. If you have any trouble with the steps below or would like help setting up app tracking contact our Support Team.

Setup Instructions

    1. Go to Facebook and create an account (or use an existing one) for tracking information

    2. Once you’ve logged in, visit https://developers.facebook.com/apps/

    3. Click + Add a New App

    4. Enter the name of the app under Display Name

    5. Enter a contact email and hit Confirm

    6. On the left, click Dashboard

    7. Finally, send your App ID and Display Name to our Support Team who will complete the setup process and make sure everything is working as intended


Video walkthrough - part 1



Video walkthrough - part 2

  • all
  • API
  • POS
  • Dashboard
  • Dispatch
  • Menu
  • Ordering
  • Switchboard