Credit card security for know-nothings

Accepting only cash would be the easiest way to protect your computer, POS and credit card systems from security breaches, but that’s not the best business decision for most operations. Regardless of the size of your business, credit card data security cannot be ignored. Any violation of your system will directly affect your business—financially, legally, and most important, your reputation among customers and within your community. But where do you begin if your technological expertise ends at sending email?  John South, chief security officer of Heartland Payment Systems, sat down with us for a session that could have been called Credit Card Security 101. He didn’t even make us wear a dunce cap.

Step 1:  Understand what is required
First and foremost, begin by understanding what is required under the Payment Card Industry Standards, even before you purchase hardware or software. Visit the merchants’ section of the official PCI Security Standards Council website for a complete guide to becoming PCI compliant, and for a list of hardware models that are PCI compliant. Costs to comply differ from operation to operation and are specific to the acquiring processor, advises South, but the value is immeasurable in light of what the implications are if you are not compliant.

Then, understand what is required by your partner credit card brands, payment processors and acquiring banks to protect credit card information. Brands, such as Visa and MasterCard, as well as your acquiring banks, outline ways to protect your system and also offer tips for what to do and who to call if your system is compromised.

Step 2:  Know your network
Understand your data system environment and where your risks lie. Learn how your network is set up, how data flows through the system, how information is stored and how often software should be updated. This is particularly important if you are a franchisee and utilize the same system that other operators in the system use. If one store’s network is compromised, it is only a matter of time before the bad guys try to use the same tricks on you.

Here are a few things to pay attention to:

  • Firewalls:  The hardware or software that filters and controls traffic in and out of your network. Firewall software should be regularly updated for maximum effectiveness.
  • Anti-virus software: The software installed on your system that should prevent, detect and remove malware such as viruses, adware and spyware. Most major anti-virus software companies sell combination packages with both browsing and virus security for the most comprehensive protection.
  • Passwords:  Be sure to use passwords that are unpredictable with a mix of upper and lower case letters, numbers and special characters and only share passwords if necessary. Change your passwords at least every 45 days – 90 days maximum – and keep the number of people who have access to your system to a minimum.
  • System patches:  Patches, or software updates, add functionality or correct defects and should be executed at least two times per month. Most systems are automated and will indicate when an update is available.
  • Your employees:  Your employees are a key part of your system. It is imperative for your reputation that your employees are handling credit card transactions in a manner that is safe both for the customer, and for your business. Be sure that your employees know that you are aware of data violation techniques and are paying close attention to your system. Arrange for a representative from the electronic crimes task force of your local or state police department or the U.S. Secret Service office to train your management staff on what to look for and what to do if an incident occurs.

Step 3:  Learn what to look for
Understand how data thieves are compromising systems of merchants like you. Entry into your system can be gained in a variety of ways, such as phishing, email spam, malware and spyware installation and skimming. “Many violations seen today are account takeovers where unauthorized users put malware on the system which obtains usernames and passwords as they are entered by the owner,” says South. “The unauthorized user has control over your system after that.”

What you and your employees do on your system outside of credit card transactions – checking email, downloading attachments, surfing the internet – can directly impact your business and open up your system to unauthorized users. When you get emails from unrecognized addresses or surf the web, be mindful of what you open and the sites that you visit. If something doesn’t look right, it probably isn’t.

Step 4:  Be prepared
Have a clear plan for what happens if your system is compromised and share it with your management team. Keep all necessary contact information close at hand, including your local, state and federal electronic crimes units. “As you work towards PCI compliance, the PCI Security Standards Council will assign your business a qualified security consultant to be a point of contact both for compliance efforts and in the event that your system is compromised,” explains South. Your payment processing partner and acquiring banks will also be points of contact. Reach out to all contacts and understand what information each requires if an issue arises. Hackers work fast, and in a matter of hours your system, along with your customers’ credit lines, can easily be destroyed.

What to do if your system is compromised
If you suspect that your system has been compromised, or worse, have confirmation of it, stop taking credit cards immediately and put that plan you prepared into action. Contact your local authorities as soon as possible—the sooner you’re able to identify a system invasion, the better it will be for your customers, your business and your reputation.

The future of credit card security
The magnetic stripe card format is in the process of migrating to a new EMV chip card format, known as smart cards. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic strip cards, such as enhanced verification methods and secure online payment transactions. Over the past three years, most major credit card brands have announced their plans for moving to EMV-based payment infrastructure in the United States. In fact, with this technology in place in more than 80 countries worldwide, the United States is one of the last countries to implement EMV cards. “One of the advantages for all restaurants is that when 75% of their traffic goes across EMV POS terminals, the restaurant will not have to validate against PCI Standards,” claims South. For more information, visit and

Like other parts of your business, your computer, POS and credit card systems require constant monitoring and attention. But regardless of your current knowledge base, with a bit of education and the proper contacts in hand, you’ll be able to rest easy knowing that your business, and your customers, are protected from data security breaches.

Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.


Exclusive Content


Panera apparently wants to go it alone again

The Bottom Line: The bakery/café chain is reportedly planning to sell Caribou and Einstein Bros. restaurant concepts three years after forming Panera Brands.


Tender Greens and Tocaya: Good businesses with bad balance sheets

The two fast-casual brands are seeking a buyer out of bankruptcy, either together or separately. Parent One Table CEO Harald Herrmann says both are moving in the right direction.


Pricing has driven restaurant sales growth for the past 2 years

The Bottom Line: Restaurant sales have grown for most of the past two years. But they haven't kept pace with menu price inflation, suggesting the industry is saturated again.


More from our partners