People, Process and Technology: A layered approach to customer credit card security
Aug. 25, 2009
* Dan Lane is the chief technology officer for Merchant Link LLC. The hackers who allegedly perpetrated the largest credit card data breach in history were charged with stealing the credit and debit card numbers of some 130 million card holders who shopped at convenience and grocery stores. If the story ended there perhaps the restaurant industry could rest assured.
Unfortunately, there are aspects to the situation that serve as a reminder to the industry that protecting your customers' credit card and personal data is more critical than ever. The accused ringleader was already in jail awaiting trial for his alleged efforts to hack into the network of a major restaurant chain. And, it turns out, the foodservice/restaurant industries are the target for 62 percent of all credit card data compromises (the next largest is retail at 16 percent), according to TrustWave, a payments industry security consultant.
As the number and the sophistication of hackers continue to rise, securing your restaurant's credit card payment system has become absolutely essential to the protection of your customers, your reputation, brand and bottom line. While protecting your credit card data will require some investment, there are many security products and services available, which, coupled with basic common sense actions, can protect your investment against potentially enormous damages. Experts agree that security is not solved with a single silver bullet approach. Layers of security are needed to prevent threats from the variety of methods hackers employ. The creation or improvement of a layered security system revolves around three core elements: people, process and technology. Ensure the right balance of these components, and you will produce in your organization a payments security mindset which will become part of your operation's DNA and will enable you to maintain current security while being vigilant about future threats. People Like everything else about the restaurant business, robust security begins with hiring the right people – from corporate personnel to store managers and employees – and, like other safety measures, ensuring there's proper due diligence in the hiring process and that the staff are trained and made aware of sound security practices. Security measures are often inconvenient and require participation from everyone. So once employees are hired, and on a regular basis, provide security awareness training for all employees to sensitize them to your company policies and the value of following security practices that are critical to keeping your business secure. Likewise, any contractors who work on your systems should be required to follow the same security policies as in your business. Process Securing a business is not a set-it and forget-it prospect. Security threats evolve along with technology, so some threats of two years ago are no longer as important, while new threats are constantly emerging (e.g. the proliferation of wireless LANS). Therefore it is important to create and adhere to security practices to ensure your business is protected over time. Securing the personal information of your customers certainly does not begin, nor does it end, with the implementation of a firewall, tokenization (explained below), or an encryption system. It really involves knowing where data is produced, stored and transported at all times, and establishing iron-clad policies to govern how that data is managed. Where do you start? Most experts agree that all businesses should have a documented security policy. A security policy gives you a consensus baseline for establishing rules and tracking security compliance laws. To that end, restaurants should conduct an internal audit to identify the sources of sensitive data, which include credit card numbers, and perhaps other customer or employee data. The process also should include a schedule for maintenance, education, communication and coordination. Passwords should be changed frequently, and the number of people with access to your systems restricted to the extent possible. Limit access to information, and ensure whatever sensitive information you retain is highly secured. One of our clients, fast casual chicken chain El Pollo Loco, also consults with a security auditor to ensure they continue to stay in compliance with PCI and the Sarbanes-Oxley Act. They feel it is important enough to make it part of their regular routine. Technology In today's payment environment, technology is exploited by hackers to gain access to data, but it also plays a leading role in the protection of sensitive customer information. The good news is that security systems are more effective and efficient than ever, as long as restaurants monitor and update them to meet their evolving needs – and to defend against the growing sophistication of those who would steal your data. Vendor contracts should include and spell out in detail the need for ongoing security upgrades and improvements, as well as each party's responsibility. Along with this, an installation guide should spell out how to re-install the application safely and securely if necessary. An ever-increasing number of restaurants are implementing a tokenization and data outsourcing system like Merchant Link's TransactionVault. Credit card numbers are replaced with "tokens," unique codes that the restaurant can use to process payments and track customer purchasing patterns but are useless to cyber thieves seeking the data; the actual credit card data is stored off-site. With or without a tokenization system, restaurateurs are advised to install, properly configure and regularly test, maintain and upgrade a good firewall, as well as antivirus software. Safely storing your card data also should be of paramount concern. A leading industry research and advisory company recommends that enterprises should focus on limiting their exposure/liability of cardholder data and reduce the cost and risk of the Payment Card Industry Data Security Standard (PCI) audit process by fully removing the data from the infrastructure. Some security providers allow you to offload sensitive data or certain security services. One of our large retail clients recognized that by building its own data vault, it would be secure at first, but over time, access exceptions would be granted and sensitive credit card information would be re-introduced into the organization. Therefore, they decided to outsource their credit card data storage to a secure, offsite data facility. Restaurant owners and operators are not, and should not have to become, cyber-security experts. But it is appropriate to be a little paranoid. Increasingly, they have come to understand that without a fundamental credit card data security plan, they put their customers and their brands at risk. There are plenty of resources available for you to get started with the basic steps towards securing your systems and business, starting with Payment Card Industry Security Council's Quick Reference Guide. This will provide a summary of the requirements of the Payment Card Industry, and additional available resources. Ben Franklin coined the term, "an ounce of prevention is worth a pound of cure." Taking the time and making the right investment in people, process and technology will provide your operation the right security antidote so your focus can return to improved revenue, serving good food and providing the best hospitality for your customers.