A Wall Street Journal article, Hackers Shift Attacks to Small Firms, has many more people paying attention to security issues, and for those of us in the security industry, we welcome the shift in attitude. As a security provider, we constantly have to answer the question, "Why should someone as small as me take security seriously?" Before this article, we had to site our own experiences with helping small merchants who came to us after they had been breached. Due to our confidentiality agreements, and the interest of our customers, we rarely have been able to discuss details with other small merchants who were vulnerable. This article is a welcome sight to those of us in the trenches who are trying to spread the word that computer hackers are real and that they love small businesses. On the whole, few businesses are more vulnerable than small QSR and fast casual restaurants for the following reasons:
There is rarely an IT budget for security.
It would be unusual to have someone on staff who fully understands credit card security.
There is a huge amount of turn over in the industry. Think about how easily a hacker could get hired as a dishwasher, plant malicious software on a system that steals credit cards and leave. No one would notice another short term employee.
And QSR and fast casual restaurants go through a large volume of credit cards in a day. Unlike many other retail environments where there are a few high-dollar sales per day, a successful restaurant sees hundreds of people who pay with credit cards.
To speed up the check-out process and manage the store efficiently, most successful restaurants have adopted an integrated POS system that is really a computer network running a specialized software package that frequently stores credit cards and processes them over the Internet at the end of the night.
When you put all of this together, you could not ask for a better target if you were a hacker looking to steal credit cards. Theft is a business to cyber crooks. They want the most return for the least amount of effort, so the educated merchant does what is necessary to make his location less attractive to on-line thieves.
One source that merchants can used as a guide is the Payment Card Industry Data Security Standard (PCI), which is the minimum security the credit card brands expect from a merchant who accepts credit cards. The current standard can be found at The PCI Security Standards Council's web site. In PCI, a merchant can find several security measures designed to deter hackers from attempting to steal their credit card data. Even if a mom-and-pop restaurant cannot meet all PCI standards, it would be better to implement the security measures that are practical today, than to ignore the problem altogether. While it is important for every business to become fully PCI complaint, the first goal for any security plan it to make your business difficult to break into, so a thief will move down the road and hit an easier target.
Slowly but surely, more businesses are getting the message – Acting now is better than being a victim in the future.
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.