Don’t overlook data protection responsibility
Hundreds of credit cards and debit cards are swiped daily in your restaurant. Add online orders and gift card purchases to that total, and the chance for identity theft, fraud and security breaches are exponential.
Freaked out yet? Ready to toss the credit card payment processor, shut down the Wi-Fi, and run a cash-only establishment? If only you could…
Your customers expect the convenience of paying with credit cards — swiping, chipping — and they expect when they trust you with their payment, they can trust you with their data security and identity.
And protection starts with your system.
“Lots of places are using machines that are 10 years old, and most major breeches happen on outdated machines,” says Donald Bush, VP of marketing at Kount. “Make sure the hardware you’re using is the latest with the latest, up-to-date software.”
Bush says that, with a computer, you are able to add malware and virus protection, but there isn’t a lot of power on a payment processor.
“When considering an update to the payment processor — ask, ‘can it run the latest software?’ Talk to your payment processor provider annually— at least —and ask, ‘are there any software upgrades? Hardware upgrades? What are your fraud protections and policies?’” Bush advises.
In addition, says Bush, pizzeria owners should ask their payment processing company if they are PCI DSS (Payment Card Industry Data Security Standard) Level I compliant, which is the minimum data security protection level. And for owners who use online and mobile ordering options, Bush stresses that operators should confirm that their system is capable of handling those payments and has fraud checks in place.
For owners who use only card machines, Charles Lee Mudd, Jr., data security lawyer at Mudd Law in Chicago, advises them to confirm with their provider that the machines do not store any information (and if information is stored, that it has an imposed time limit).
For owners who utilize a computer for payment processing, Mudd recommends that the software only store the last four digits of the card.
“The vendor should attempt to avoid being in a position to ‘use the card on file,’” says Mudd.
Tom Evans, engineer emeritus at Ashton Technology Solutions, advises that store networks should be secured with a high quality and properly configured firewall, and any ATM on the premise should be inspected daily to assure no one has tampered with it by adding a skimmer or altering the network connection with additional hardware.
“The store business network needs to be kept properly secured and completely separate from any service offered to customers,” Evans says. “Allowing customers to access the network that has the business data on it is just asking someone to steal it.”
Robert Siciliano, identity theft expert and CEO of IDTheftSecurity.com, advises operators to back up their data.
“Why? Because when all else fails, and your data and devices have been destroyed by malware, a cloud backup allows you to not only recover all your data, but it helps you sleep at night,” says Siciliano.
Clinton Henry, a leading cyber security and identity theft expert, explains in his article titled “9 Surefire Ways to Lockdown Your Cyber Security” that making sure your data is backed and stored separately from your main repository can help protect from “ransomware” attacks.
Henry explains that during a ransomware attack, “instead of ‘stealing’ data from your organization, these attackers find your critical data and then encrypt it (digitally locking you out of it), making it so only the person with the digital ‘key’ can unlock and access that data.”
To keep data secure, don’t underestimate the access and actions of your employees.
“Do a bond and background check on folks handling payments,” says Bush. “This may reveal problems, yes, but it will put employees on notice. It will make them second guess doing something wrong.”
Evans recommends training employees often on the importance of keeping data like customer details and proprietary company information secure.
“Pizza stores may have high turnover, so this needs to be done frequently to assure everyone understands the importance,” says Evans. “Some thought needs to be given to the use of personal devices in the store by employees as well. Today’s devices are capable of storing a lot of data and performing other functions — credit card swipe with Square device — that can compromise the security of the store and the customers.”
Even though they spend most of their time outside the restaurant, the delivery staff is also key to data security and fraud prevention.
Bush advises that the delivery person ask to see the customer’s credit card to verify that the information on the receipt (typically the last four digits) matches the card presented at time of delivery.
Bush also recommends operators do reconciliations — daily or monthly — in order to identify any fraudulent credit card payments before restaurants are hit with costly charge backs.
Identity theft is a constant threat and data security is an ongoing battle for operators. But installing the right hardware with the most up-to-date software from a trustworthy and compliant provider, keeping your business network separate and protected, training staff on the importance of smart cyber practices and paying close attention to all transactions are steps that operators can and should take to protect their customers and business data.
DeAnn Owens is a freelance journalist living in Dayton, Ohio. She specializes in features and human-interest stories.