Breach! Every month it seems there is a new POS data breach reported.
What is most disturbing to me about the recent trend of data breaches is that it has such a common occurrence that it seems a part of everyday life. Even I, myself, have had my American Express Card reissued five times in the last year.
As a consumer annoyed with frequent card re-issuance, I asked American Express to create me a second card account to use for my auto payments and recurring charges so that when my “shopping/business” Amex is reissued yet again it is a bit less disruptive.
So what can you do as a merchant to make my life as a consumer easier, while also protecting your business from a credit card data breach? Well I am glad you asked, as this is the topic of our next article in the series.
One of the mistakes I am afraid restaurants, and especially smaller restaurants, will make is viewing data breaches as inevitable or unavoidable, and thus not take proper actions to mitigate the risks.
But as a career POS expert, I can tell you that there are steps you can take to secure your systems against potential data breaches and the resulting associated pain with customers’ credit cards being exposed. While I can’t guarantee that if you follow these steps you will never have to deal with a breach, you can make it much harder for hackers to obtain your customers’ data and thus protect your business and your customers’ personal finances.
1. Secure your card processing network.
We live in a world where most people have a decent understanding of consumer electronics. This can be both a blessing and a curse. It means that we have the opportunity to save money by provisioning, managing, and supporting our own IT infrastructure.
But should you?
Several of your customers have said they want free Wifi while visiting your restaurant. You figured out how to setup that Apple router at your house, so why not do the same for your business?
The mistake here is that hackers and would-be credit card data thieves have a better understanding of these consumer-grade systems than you. And they prey on their vulnerabilities, or the small nuisances resultant from the “easy setup process.” Adding any connectivity to the same network in which you process credit cards, be it Internet access, Wifi, desktop workstation, security system, or any device requires some serious thought.
For most people I would recommend outsourcing the risk altogether. And here’s why.
The risk to your business is far too great for the small amount of money to be saved. There are many businesses that provide managed network services at a low monthly cost, including hardware and provide all types of nice services for in return such as intrusion detection, segmented Wifi access, firewall management, and support services for when things go wrong. VendorSafe, Aruba Networks, and Lightpath are just three of many.
At the end of the day, if you have any devices attached to the same network you are using to process credit cards you are a taking a huge risk if those devices are not properly installed, configured and managed.
2. Assess your environment.
You might not even know it, but as a merchant processing credit cards you are required to do what is called a Self Assessment Questionnaire (SAQ). Unfortunately, the PCI Council who issues the standards and questionnaires did not make them easy for the average person to understand, and the banks have done an even worse job communicating this to merchants.
I am a strong believer that every merchant should try to fill out the questionnaire and meet their obligations as a merchant and even more importantly that critical step to protect their customers’ card data. You can go about this in several ways:
- Reach out to your bank, POS provider, or merchant card processing hardware provider to see if they have a self-assessment tool or service you can use as part of their product offering. For example, customers who purchase VeriFone equipment from VeriFone or a VeriFone Reseller can inquire about Verifone’s Self-Assessment Tool (Scan and SAQ Tool) and the same goes for VendorSafe customers. These tools are often much friendly to use than the PCI Councils materials and will save you from much unneeded.
- Go to the PCI Council’s Website and download the self-assessment tool to determine your compliance. This is probably my least-advised course of action but might work for some.
- Hire a third-party or QSA to help you navigate the self-assessment process. This is a more expensive option and is probably reserved for the larger operators but is the best course of action for the medium to large business. Coalfire and SecurityMetrics are two among many who do this.
3. Don’t forget your employees.
I can’t tell you how many times in my career I have seen employees end up as the weakest link in the credit card processing chain.
Consider how you will talk about card security and data breaches with your employees, what practices you will but in place to monitor employee compliance with card security best practices, and what you will do in the even that an employee violates those policies.
Remember that when an employee handles credit cards it’s like they are handling large sums of cash. The theft controls you put in place need to take into account credit card data. I have seen some very clever employee-devised methods of credit card theft:
- An employee stealing customer card data at a deli by pretending to drop a payment card on the floor, and then as they picked up the card they would press the card into a block of cheese and then later write down the card numbers.
- Employees attaching skimmers to their ankles. In one business I worked I came into work one day to have the Secret Service waiting at my desk to discuss some of the servers who where using credit card data skimmers like this — TO SELL TO THE RUSSIAN MOB. Ten of the location’s 12 servers were doing this.
- A manager at a QSR chain using the fancy new HD video security system afterhours to replay the day’s activities and liberate card data from video that had been zoomed and played one frame at a time.
I did not make those stories up.
By far the best and easier thing you can do to prevent employee mismanagement of card data in your business is to implement a customer swipe-based card processing model.
Speak with your credit card and POS company and see what it takes to implement a customer-facing, card-processing device as you would see at any large retail establishment and discourage any activity that results in employees handling or managing card data. In Canada, no matter the restaurant concept, the credit card never leaves the customer’s presence. You could do the same in the States.
4. Make the move to EMV.
EMV chip technology is becoming the global standard for credit card and debit card payments. Named after its original developers (Europay, MasterCard and Visa), this smart chip technology features payment instruments (cards, mobile phones, etc.) with embedded microprocessor chips that store and protect cardholder data.
The EMV standard has many names worldwide and may also be referred to as “chip and PIN” or “chip and signature.” This new technology is already available to merchants in the North America and merchants can already start migrating prior to the liability shift, which I will discuss in a moment.
Preventing the growth of fraudulent activity is one of the main reasons the industry is moving toward EMV technology. Chip cards make it difficult for fraud organizations to target cardholders and businesses alike. As a result, more and more chip cards are being introduced by U.S. financial institutions in order to support and switch over to this technology.
Talk to your bank and/or POS provider about the details required for you to make the transition.
Another Visa and MasterCard ruling is the liability shift. Once this goes into effect, merchants who have not made the investment in chip-enabled technology may be held financially liable for card-present fraud that could have been prevented with the use of a chip-enabled POS system.
This “liability shift” is expected to impact the hospitality space significantly as fraud vectors move away from retail and see hospitality as the new low hanging fruit.
5. Insure yourself.
Also known as Cyber Liability Insurance, this provides coverage after the theft or loss of both first-party and third-party data. This means that whether the data breach happens directly to your company or to a company whose data you are working with, you’re covered.
Speak with your insurance agent and weigh the cost of breach insurance against the risk and potential benefit. While breach insurance does nothing to prevent a breach, as you have probably figured out, a breach could potentially happen even with your best preventative efforts. Breach insurance allows you to proactively protect your business now in the event that this unfortunate risk were to actualize.
And in a timely news update, Heartland Payment Systems, who recently bought out Xpient POS, just announced breach warranty as part of its Heartland Secure platform. That won’t cover you against any lawsuits, but it will reimburse you for bank fees, penalties, or fines incurred as a result of a breach.
While I can’t promise that following these five points will guarantee you’ll avoid a breach, I can say that you are far less likely to be the easy target for a credit card breach. I wish you the best of luck in securing your environment and commend you for taking the first step in protecting your business and your customers financial data.
(Breach photo courtesy of Dale LaFollette.)