Extra Steps to Keep Customers' Credit-Card Data Safe and Secure
Foodservice operators can safeguard customers' credit-card data by taking steps above and beyond national security standards.
By Lisa Bertagnoli, Special to R&I -- Restaurants & Institutions, September 1, 2009
|
| New technologies help ensure that customers and operators alike remain safe from would-be credit-card thieves. |
Bertucci’s, the Northborough, Mass.-based Italian casual-dining chain, has never had a credit-card security breach. If Kevin Quinlan has his way, it never will.
Quinlan has equipped Bertucci’s corporate and store-level computers with file-locking software that prevents employees from downloading iTunes, burning CDs and surfing the Internet on company computers. The point: to add an extra layer of security to protect credit-card numbers from being stolen by hackers.
Credit-card security “is my No. 1 priority,” says Quinlan, senior director of information technology at the 95-unit chain. “I don’t want to see our name in the paper.”
Indeed, a survey conducted last year by a Maryland-based credit-card transaction processor found that 75% of restaurant operators cite brand damage as their biggest concern when it comes to credit-card security breaches. Operators are worried because their customers are: 68% of respondents said they believed customers’ concern about breaches had risen in the last year.
Why Comply?
Despite those concerns, only 48% of respondents said they are fully compliant with data-system security measures set forth by the PCI Security Standards Council, which was established by several major credit-card companies in 2006.
“There is an education issue here,” says Bob Russo, general manager of the Wakefield, Mass.-based council. “For a small merchant, a local pizzeria, a breach could be catastrophic.”
That’s from not just a financial but also a brand-management point of view. “People will get up and walk away … they lose confidence in the merchant,” Russo says.
PCI compliance entails completing 12 steps, from maintaining a firewall to protect credit-card data to regularly updating antivirus software (for more information, visit the council’s Web site, www.pcisecuritystandards.org).
The PCI does not monitor compliance; rather, acquiring banks, which accept credit-card payments, handle enforcement. Noncompliance fees can be as high as $250,000.
Extra Steps
Russo and other experts say that operators should consider safeguards beyond the PCI measures to help protect customers’ credit-card data. “It’s not about checking the boxes; it’s about security,” Russo says.
Here are six additional precautions to take:
Ensure that card processors are up to date. Under the Fair and Accurate Credit Transactions Act (FACTA), the grace period for installing card-processing systems that truncate customers’ credit-card numbers—printing no more than the card’s last five digits—ended in June 2008. Merchants who print receipts that are not compliant with FACTA are subject to state and federal fines as well as fines from credit-card issuers; Visa and MasterCard charge a penalty of $5,000 for the first violation.
Explore encryption. Several payment processors offer add-on security measures such as tokenization, whereby a credit card’s actual digits are replaced with a nondigit “token” once the card is swiped. The credit-card processor stores the token, not the digits, rendering the information useless to hackers. One processing company that suffered a major breach last year is testing an end-to-end encryption system that encrypts credit-card numbers through their entire journey from restaurant to bank to processor.
Change passwords often. POS systems come with a default password that needs to be changed immediately, notes the president and CEO of a Los Angeles-based security-software manufacturer. He recommends changing passwords after key employees depart and after a contractor has worked on an operation’s computer system.
Secure the credit-card processor. Credit-card-processing terminals should be locked away at night. They also should not be connected to the Internet, and they should be armed with regularly updated firewalls and antivirus software.
Don’t piggyback WiFi. For convenience’ sake, it’s tempting to set up customer WiFi service on an existing system. That makes life easy for the operator—and easy for hackers. When setting up WiFi service, separate it completely from the restaurant’s POS and computer systems.
Keep an eye out for suspicious behavior. This spring, five former servers at three Washington, D.C., restaurants pleaded guilty in a scheme whereby three nonemployee ringleaders paid the servers to use handheld skimming devices to steal customers’ credit-card numbers, according to The Washington Post. The ringleaders, who pleaded guilty in Virginia to bank fraud and aggravated identity-theft charges, ran up more than $730,000 in thousands of transactions on diners’ cards.
“Taking a credit card is not a restaurant’s business—their business is making food,” Russo says. “But if you’re in the business, you have to be watching this [kind of thing].”
No related content found.
VIEW ALL GALLERIES
