If protecting your customer’s credit card info from hackers isn’t as a big a deal for you as protecting them from food-borne illness, you could be in for a rude awakening when the Secret Service knocks on your door. Or when you’re hit with six-figure fines from a credit-card company or bank. Those blows to the bottom line would be in addition to the 16 percent of clientele that experts say a retail business typically loses after a data theft.
“Stealing credit cards is big business,” Brad Cyprus of VendorSafe Technologies told the audience at the FSTEC foodservice technology conference in September. “This is no longer some college students hacking into your computers. This is organized crime.”
Cyprus’ company sells data-security devices to restaurants, so he has a business reason to sound the alarm. But there is ample evidence to back up his concern: 81,000 customers had data stolen from Dave & Buster’s recently. More than $10,000 in purchases were made from credit card information stolen from a Seattle independent last spring. A Tilted Kilt in Texas was hit around the same time.
FSTEC showed a video about a two-unit operation called Spanky’s, which had to close because fines and fees were running into the hundreds of thousands. The proprietor explained that she’d assumed the restaurants were safe from a security breach because they’d just been outfitted with new POS and computer equipment. She didn’t know she’d been hacked until the affected parties started demanding make-good payments.
As Cyprus and others explained, data crooks spend millions of dollars today on programs and technology to swipe passwords. Then they slip inside a restaurant company’s protected computer files and patiently harvest credit card information over a period of weeks or months.
Once the intruders find a way into the technology of a certain chain, they’ll proceed franchisee by franchisee or restaurant by restaurant, quietly robbing data until the alarm is sounded.
Other times, restaurants help the thieves by failing to reset the password that allows employees to enter a new system. Seventy-five percent of the restaurants whose data was stolen were still using the default passwords left by their vendor, according to the Secret Service, which has jurisdiction over card data theft.
Once they crack the code, the hackers surf the vendor’s website for mentions of other restaurants serviced by the company, recounted Dave Matthews, CIO for the National Restaurant Association. Then they see if those places failed to reset their password, too.
If a restaurant is hacked, the operator, not the credit card company or the bank that issued the card, is in the cross hairs. Despite the lobbying efforts of the NRA and its allies on the matter, the laws and regulations specify that “all of the costs can be transferred down to you as the merchant,” said Matthews.
Matthews shared a list the NRA has developed to help restaurateurs safeguard customer data.
“Unless you have a support staff or unless you have a trusted advisor, don’t try to do this yourself,” he advised. “You just won’t get it.”
The precautions that he urged restaurants to make part of their standard procedures:
- Install and maintain a firewall configuration to protect cardholder data. “You need to get this done,” Matthews stressed.
- Do not use vendor-supplied passwords. Reset them immediately.
- Protect cardholder data by not storing it. “Get rid of it—you don’t need it anymore,” said Matthews. If an operation needs to retain it for some reason, encrypt it.
- Encrypt transmission of cardholder data across open, public networks. “I don’t expect any of you restaurateurs to know what that means,” but a technology specialist would understand, Matthews said.
- Maintain a vulnerability management program. Use and regularly update anti-virus software. In addition, develop and maintain or purchase secure systems and applications, and make sure they’re updated.
- Implement strong access control measures by restricting access to cardholder data. “That’s a fancy way of saying, ‘Make sure everyone has a unique password,’” explained Matthews.
- Regularly monitor and test networks and security systems with external scans.
- Maintain some form of an Information Security Policy, a HAACP for technology.
“View this as [you view] food safety,” advised Matthews. “It’s risk management and risk mitigation for your business.”