Restaurants target of data-security push

April 25, 2007 | by Valerie Killifer
In 2005, Papa John's International Inc. beefed up security for its e-mail system after the company learned customer data had been exposed through a leak at the chain's headquarters.
Although the data consisted mainly of names, addresses and e-mails, the leak is one example of a larger issue facing the restaurant industry: the breach of customer credit-card data.
"We're clearly in an environment today where it makes good business sense to protect sensitive information such as cardholder data," said Martin Elliott, vice president of emerging risk for Visa USA. "Why? Because customers have trust that their cardholder information is safe and kept in a secure manner."
The credit-card industry — including Visa USA, MasterCard, American Express and Discover — are cracking down on restaurants and merchants in an effort to better protect cardholder data.
"Trust is emerging as one of the critical business issues of the 21st century," said Visa USA chief executive John Phillip Coghlan at a March security summit. "Data security must move out of the back office and into the board room. Corporate officers must apply the same rigor to data security as they do their financial controls."
To help restaurants and other merchants protect themselves and their cardholders, Visa launched the Cardholder Information Security Program (CISP) in 2001. And in 2004, CISP requirements were incorporated into an industry standard — supported by each of the credit card companies — known as the Payment Card Industry (PCI) Data Security Standard.
The standards, effective Sept. 7, 2006, must be met by merchants across the board based on a strict compliance schedule that's breaks down merchants by the sales number of annual transactions.
An inside look
According to a March 2007 article in the Wall Street Journal, Chicago-based AmbironTrustWave said 62 percent of the security breaches it has seen during an 18-month period came from the restaurant industry. And Visa's Elliott said about 40 percent of credit-card breaches since 2005 have occurred in the restaurant space.
Elliott said Visa and other credit card companies are now targeting restaurants because of their security risks, especially at the point-of-sale.
On its Web site, Visa has listed the top three POS system vulnerabilities — identified to help support compliance with CISP and the PCI standard. At the top of the list: Remote access security.
"Many merchants have a capability built into their POS that allows them at the home office to go into store locations and pull information," Elliott said. "If that tool is not properly secured, a hacker might be able to get into it as well and pull information out of the POS."
To ensure their POS systems are safe, Martin recommended restaurants use software created by validated payment-application suppliers. A list of validated suppliers also can be found on Visa's Web site.
story continues below... advertisement

This story and all of our great free content is supported by:  
Galasource   Galasource Buy restaurant supplies and commercial wholesale food service supply products from Galasource Supply.  

Included on the list are Fujitsu, MenuSoft, Micros, Posera, POSitouch and Radiant Systems applications. Several other restaurant POS providers also are on the list.
Posera began working on their validated software payment application in 2005.
"It's something we absolutely had to do," said Shannon Arnold, marketing director for Posera Software Inc. "It really helps us give the tools to our customers so they can protect themselves."
That protection includes having a POS that drops secure customer data after a payment has been made.
Host and remote POS security
The second POS system vulnerability on Visa's list of the top three is host security: the POS system's ability to store sensitive cardholder data.
"While you may operate in a face-to-face environment, fraudsters may be trying to target face-to-face transactions because of the magnetic-stripe data," Martin said. "The merchant should not be storing data; however, where vulnerability comes into play is where some POS systems are inadvertently storing data after the authorization period. And merchants may have a cache of data they didn't know they had."

TOP Three POS vulnerabilities

Remote access security: Accessing the POS from a home office or other outside source.

Host security: Consolidating and retaining important cardholder data.

Network security: The monitoring of POS network activity.

Case in point: Denver-based Chipotle Mexican Grill. Before August 2004, Chipotle had a possible breach of customer-card data. The theft led to 2,000 cases of fraudulent charges, totaling $1.4 million.
Although company executives could never determine that the thefts occurred, they did determined its POS had been retaining track data, despite their thinking otherwise. Chipotle was subsequently fined nearly $1.3 million by Visa and MasterCard.
Michel Cote, Posera's vice president, said cardholder data such as the credit card number and expiration date should not be kept by a restaurant's POS system. He also said changes to POS software mandated by credit card companies did not come as a surprise.
"Information security is something that is very important for us and our customers. So, (the regulations) did not require many changes for our software to be compliant," he said.
Posera's software compliance, and the software applications of other validated suppliers, is tracked yearly by Visa, which means even if compliant software hasn't been changed a letter must be sent stating that fact.
"It's difficult for us to know if every restaurant has a validated network, but we do send information to distributors to ensure they are compliant," said Cote.
In addition to host and remote-access security, having a secure network is the third POS vulnerability.
Visa says adequate POS security controls should be implemented to ensure the network is properly configured and a basic level of activity logging must be maintained.
According to their risk mitigation strategy, restaurant environments that process or transmit data must do so in accordance to the PCI data security standard. But while some pizzeria and other restaurant merchants have not had any security breaches, the threat is always out there.
"Credit cards are a pain, but they are a necessity," said Mark Stone, co-founder of Milwaukee-based Pizza Shuttle. "I've never had any trouble at all. And that's amazing with all of the numbers flying around. It doesn't mean that will never happen, but if you take precautions that will be hard."
** Click here to learn more about PCI compliance and POS system best practices.

Topics: Financial Management , Independent Operation , Operations Management

Sponsored Links:

Related Content

Latest Content

comments powered by Disqus