Stolen credit cards. Data security breaches. Identity theft and fraud. When customers come to your restaurant or place a phone or Web order, these issues are probably not even on their radar, but they should be on yours. If you’re not careful, your customers, employees, even your business could be at risk of experiencing a ruinous data theft.
Restaurants’ unique characteristics make them particularly vulnerable, says Jon McDowall, president/CEO of the Fraud Resource Group, an international consulting and expert witness firm headquartered in Bettendorf, Iowa. The workforce is generally young and transient, he says. The workload and pace is demanding and the compensation isn’t always commensurate. Orders are coming in over the phone or Web, with payments made remotely (even when dining in, credit cards typically leave the customers sight, sometimes for relatively extended periods).
Also, “the consistent segregation of employees’ duties and managerial oversight found in many other businesses may not feasible,” McDowall adds. “Let’s face it; many pizza establishments have the potential to be a risk-manager’s nightmare.”
Lest you think that there’s nothing you hold of interest to ID thieves, think again, advises Joseph Steinberg, cyber security expert and CEO of Green Armor Solutions, a Hackensack, New Jersey-based provider of information security software. Along with the aforementioned credit card data, there’s sensitive employee information, such as social security numbers and payroll information, he reminds. Don’t forget things related to running the business –– not just processes, but recipes,
e-mails from corporate and so on.
“Then there are those customer loyalty programs that collect information like addresses, birthdates and e-mail addresses,” Steinberg addds. “All this information can be used by a criminal for nefarious purposes.”
Data theft and breaches happen in numerous ways. For restaurants, skimming — the theft of credit card information used in an otherwise legitimate transaction — is a particular concern, says identity-theft prevention expert, Johnny May, owner of Security Resources Unlimited in Bloomfield Hills, Michigan. “It’s huge,” he says. “The restaurant is the one place where you lose sight of your card.”
Skimming can involve an employee writing down a customer’s credit card information, or photocopying the card, or using an electronic device (“skimmer”) to steal the data and make a clone card, says May.
“A large percent of data theft is committed by dishonest insiders,” May says. “Companies are often focused on outside attacks but really, the biggest percent comes from inside.”
Dumpster diving is another way data theft happens, says McDowall. Which is why, under Federal law, every U.S. employer, regardless of the size of the business, must destroy sensitive data
before tossing it—this includes credit card information, customer names,
addresses and so on, he explains.
“The most common means is shredding and employers need to have functional shredders in convenient locations so they’re used every time,” McDowall says.
Credit card processors can pose a risk if not handling information correctly, says Steinberg, mentioning that a recent breach involving a Texas eatery may have occurred at a third-party processor. He advises restaurants to verify their processors follow PCI Standards (Payment Card Industry Data Security Standards) and to also follow them.
Then there are data breaches caused by keyloggers, worms, Trojans and malicious codes, says McDowall. “Links, photos, attachments, website content and many other common online items can be seeded with malicious code, allowing the code’s handlers to steal sensitive identifying data, banking and credit card data, and to convert this into profit.”
The fixes aren’t necessarily complicated. In addition to implementing layered computer security — for example installing software that protects against malware, viruses, spyware, and offers intrusion detection, and so on — Steinberg advises encrypting all sensitive data; easy to do and inexpensive.
He also suggests that digitally connected, multiple-location operations take precautions to ensure a breach at one site won’t lead to breaches at the others (this may require IT assistance). Also, employees logging into the restaurant’s computer system should have their own personal identification and should only be able to log onto those things that concern them, Steinberg says. For example, a chef should not have access to credit card information or to employee personal data.
“This will help protect against breaches and thefts caused by disgruntled employees and will also limit damage in the case of a leak,” he explains.
McDowall suggests having separate computers for order taking that don’t allow for surfing or e-mailing. He also advises that restaurants establish written policies — and train on them — for how credit card information is handled, including compliant disposal of that information.
Offering free wi-fi, increasingly common, exposes you to a “whole new level of risk,” says Steinberg, mentioning that this should never be provided on the same network as the restaurant operates on.
“One of the easiest ways for a criminal to figure out if they can attack the restaurant is to go in and use the wi-fi to nose around,” he says, adding that it’s not difficult to set up a separate network.
The best protection is awareness, says McDowall. “The most important step
involves acknowledging that a number of risks exist and ownership and management committing to being as secure as possible,” he says. u
One of your first lines of defense when it comes to warding off internal theft is the background check, says Johnny May of Security Resources Unlimited. He reminds operators that employees typically pose the biggest threat to data security. He also suggests restaurants:
Consider video monitoring, especially over registers and where orders are taken. Monitors can prove effective deterrents.
Store employee data in locked cabinets and limit access.
Think about using wireless credit card technology that allows customers to pay at the table. “It’s a simple fix but many restaurants don’t use it,” says May.
Keep audit trails to document and determine who has accessed what and when. There are software programs that will allow you to keep audit trails.
Jon McDowall, president/CEO of the Fraud Resource Group, recommends exercising caution when considering new technologies. “Make sure you’ve explored and adequately understand the security implications. You may want to delay rollout to see how others fare.”
Pamela Mills-Senn is a freelancer specializing in writing on topics of interest to all manner of businesses. She is based in Long Beach, California.