February 27, 2013 |

2009 May: Protecting Plastic

By Daniel P. Smith

2009 May: Protecting PlasticWhen Mario DiBiase opened Brooklyn, New York’s Aperitivo Cafe in April 2008, he set high priority to customer convenience and security.

Such aims are what led DiBiase to become a testing site for VeriFone’s pay-at-the table wireless system, which allows DiBiase’s wait staff the ability to run a customer’s credit or debit card transaction directly at the table.

“Wireless gives the customer peace of mind,” DiBiase says. “They’re not seeing their card disappear into a back room. They can take comfort in the transaction happening right in front of them.” Increasingly, media outlets report stories of stolen credit card numbers and identity theft. Unfortunately, restaurants big and small have been unable to avoid such misdeeds, highlighting the issue for both consumers and operators.

Restaurants “are popular (targets) because the cards are in and out — you eat here one day and don’t come back for several months. Also, restaurants don’t normally do background checks on wait staff,” says Jay Foley, executive director of the San Diegobased Identity Theft Resource Center.

Credit card fraud, the most common form of identity theft, stands a precarious reality for the restaurant industry, where plastic payment accounts for nearly half of the nation’s dining excursions and the liability for any security breach falls on an operator’s shoulders.

National chains such as California Pizza Kitchen, El Pollo Loco, and Boston Market have all faced recent well-publicized security breaches while local spots have gotten burned as well. One Sacramento eatery incurred a $90,000 fine from a credit card issuer when hackers accessed consumer data.

Despite the risk, few operators wish to eliminate credit card payment. In addition to the convenience credit cards offer customers, tickets often rise when customers use credit instead of cash or check. One Visa study of 100,000 quick-service restaurants found customers spending an average of 30 percent more when they paid with plastic.

Indeed, even with safeguards, there remains unquestionable risk. Most common, employees can copy or “skim” a customer’s card by stealing the magnetic coding or adding a tip without patron consent. “Raiding the trash” for credit card receipts and paperwork can also be a potential goldmine for thieves. Online intruders can infiltrate POS systems and seize consumer data as well.

“If customers find out that they cannot pay with their credit card in a secure way at your establishment, then it will have an impact on your base income as well as your base reputation,” Foley says.

Aware of the identity theft issue, credit card companies have forged relationships with merchants to address inside as well as outside violations. American Express, for instance, works closely with its merchant partners to reduce fraud on various fronts, explains American Express spokeswoman Sarah Meron.

The New York-based charge card issuer works to educate merchants about monitoring systems capable of preventing the authorization of fraudulent charges, fraud prevention seminars, and one-on-one meetings with merchants to provide fraud prevention recommendations. Other carriers, including Visa, MasterCard, and Discover, claim similar programs to limit fraudulent activity and a merchant’s liability.

In late 2006, the five major credit card companies took a bold, collaborative step in forming the PCI Security Standards Council, a laser-focused organization to protect credit card data. Today, when a merchant reaches full cooperation with the PCI’s Data Security Standards (PCI DSS), a 12-step security program, it meets the requirements of all payment brands and minimizes its risk of a security breach.

Recognizing that the Council’s 12- step program can be overwhelming for a merchant, particularly a modest operation, and looking to identify a way in which businesses could report progress rather than noncompliance, the Council unveiled its Prioritized Approach in early 2009.

A step-by-step guide for merchants, the Prioritized Approach identifies six security milestones and puts operators on the path to addressing their most critical security needs first.

1. If you don’t need it, don’t store it: remove sensitive data and limit data retention, a primary area of risk for businesses.
2. Secure the perimeter: protect the perimeter, internal, and wireless networks, which represent the point of access for most compromises. Operators should install and maintain a firewall separating the POS system from the Internet and WiFi.
3. Secure applications: secure application processes and servers, particularly since application weaknesses are a key access point used to compromise systems and obtain access to cardholder data. Routine antivirus upgrades will help.
4. Control access to your systems: protect the cardholder data environment through monitoring and access control. In short, know who is accessing your network. Operators should disable remote access capabilities and change their system passwords from default settings.
5. Protect stored cardholder data: deploy controls for protecting stored cardholder data, particularly if your business has determined it essential to store an individual’s information.
6. Finalize remaining compliance efforts: complete PCI DSS requirements and ensure all controls are in place, including the policies, procedures, and processes needed to further protect cardholder data. From the major chains to the momand- pop operations, PCI SSC Chairman Lib de Veyra emphasizes awareness. “Everybody has to be vigilant because it’s your reputation on the line, and there could be financial implications as well,” he says. 

Wireless devices offer convenience, efficiency, and consumer peace of mind

While European waiters have utilized wireless credit card terminals for years, the U.S. market has listlessly adopted the technology.

While the wireless units run approximately $500, integrating the units into a restaurant’s existing POS system brings additional costs.

A few compelling reasons continue pushing the wireless issue to the forefront of operators’ minds.
? Processing the credit card in the customer’s view significantly decreases the possibility of skimming and the merchant’s subsequent liability.
? Tables often turn quicker as staff members run transactions at tableside and eliminate frequent trips to a workstation.
? Pin-based transactions cost the operator less than credit payments.
? Customers often appreciate the convenience. DiBiase, in fact, credits the seamless nature of wireless payment with attracting repeat business to Aperitivo Cafe.

Chicago-based writer Daniel P. Smith has covered business issues and best practices for a variety of trade publications, newspapers, and magazines.