February 24, 2014 |

Data Security: Hacked

By Daniel P. Smith

Credit card with customer receipt November 2012Amid Chicago’s pizza-loving populace, Lou Malnati’s Pizzeria stands tall. A frequent stop for Windy City inhabitants as well as visitors seeking Chicago’s famed deep-dish pizza, Malnati’s runs 34 stores across the Chicago area, most offering a mix of dine-in, carryout and delivery.

With such volume, Malnati’s touches thousands of pieces of consumer data each day, particularly credit card info, and safeguarding that data remains a top priority for Malnati’s brass.

“We know the restaurant industry is ripe for data theft and the ramifications of a breach can be enormous,” says Jordan von Kluck, Lou Malnati’s IT director for the last eight years. Data breaches remain an ever- increasing, ever-evolving issue for restaurants of all types. According to Trustwave’s 2012 Global Security Report, the food and beverage industry made up 44 percent of data breach investigations in 2011, the highest percentage of all industries.

While a potential breach can damage both brand reputation and consumer confidence, those penalties take a backseat to the potentially crippling financial consequences. “The credit card companies can make your life miserable if you get hacked,” says Avivah Litan, a fraud expert and analyst with Connecticut-based Gartner. “There are fines for noncompliance, the breach, charge-back fraud, and the credit card companies may even increase your interchange fees.”

John Pearson, director of data security and compliance for NCR Corporation’s hospitality division, says restaurants are frequent data theft targets for two reasons: Americans love to eat and love to pay with credit. “Combined with a low cost of entry and quick turnaround time to hard cash, the credit card fraud business has criminals constantly seeking a supply source of credit card data,” Pearson says.

While most pizzeria operators focus on serving high-quality pies alongside outstanding customer service, few possess the tech-savvy skills to ward off cybercrime. “Criminal hackers know this and target their tools to find restaurants with weak or no security measures in place,” Pearson says.

And the national names can be just as vulnerable as the independents. Trustwave’s report identified more than one-third of 2011 investigations occurred in a franchise business. To address the increasing array of data breaches, the credit card processing industry hosts a set of 12 requirements called the Payment Card Industry Data Security Standards (PCI DSS). Meeting PCI DSS is required for all who accept and process credit cards.

Assuming a restaurateur is using a validated PCI Payment Application (PA)-DSS POS solution, data theft most often happens one of three ways.

First, hackers snag data at the point of authorization, oftentimes without every visiting the restaurant. As all POS solutions must hold card data in memory just prior to sending an authorization to the processor, savvy criminal hackers can gain administrative rights to the system, frequently accomplished through the Internet connection, and access the POS system’s contents.

Hackers “look for weaknesses in remote access software, the operating system, (or) the lack of a properly configured firewall,” Pearson says.

Criminals might also install a device that steals cardholder data upon the swipe, called “skimming.” In some cases, the device might be a rogue look-alike; in others, the inspection seal might be broken or there may be an additional connector cable.

“Time and time again, these simple security basics are overlooked, which leads to compromise,” PCI Security Standards Council general manager Bob Russo says.

Finally, there’s the risk of old- fashioned data theft by dishonest employees. Some estimates hold that 20 percent of reported data breaches occur at the exchange of the credit card from customer to employee, a particularly contentious point at many dine-in eateries where the customer’s card can disappear from view for minutes at a time.

The best way to minimize data theft, security experts agree, is to follow PCI DSS guidelines, which include simple measures such as changing passwords on the applications and devices used to accept and process credit card payments every 90 days and regularly inspecting POS equipment. Operators should alsoseek business partners and technology vendors present on the PCI Security Standards list.“ by doing so, you can keep this data safe from criminals and everyone can avoid the financial and reputational fallout that results from its compromise,” Russo says, adding that the PCI Council has a special Web site geared toward small businesses (www.pcisecuritystandards.org/smb/).

Additionally, operators should use PA-DSS validated software that is supported by the vendor; install a commercial grade hardware firewall that is actively managed and tightly controlled; and use secure remote access only when necessary.

“The best way to cut off a lot of threats is strong perimeter security,” says von Kluck, adding that Lou Malnati’s also purges old information on a systematic basis and educates staff on proper handling of credit card information to further minimize trouble. “PCI compliance is the starting point, but we’ll take the extra precautions to protect ourselves and our customers.”

Operators should also install and update antivirus software, remove unused software, disable unnecessary features, and limit activity on the POS and payments systems to business use alone. “Do these things first, then focus on PCI DSS and re-assess your approach annually to adjust to industry changes,” Pearson advises.

Protect the POS

Like any technology, POS systems continue evolving at a rapid pace, a reality that demands operators maintain and regularly update the POS system to both leverage its profit-building capabilities and protect consumer data.

“POS systems need to be re- viewed regularly to ensure they are operating at peak performance,” says security expert John Pearson. “As a gas stove may become a hazard due to a leak which develops over time, a POS system may become a hazard due to a defect or vulnerability which is discovered in the operating system or in a hardware component over time.”

Pearson calls POS security an “ongoing action” and urges operators to respect two rules: maintain a relationship with the POS vendor and religiously follow their maintenance advice.

“Any business who does not properly secure their POS and network,” Pearson says, “might as well open their doors and hang a neon sign to the world saying, ‘Rob me!’”

Chicago-based writer Daniel P. Smith has covered business issues and best practices for a variety of trade publications, newspapers, and magazines.