Restaurants and Credit Cards – A Dangerous Combination

All of us have heard about the dangers of using credit cards on the internet. Many of us probably even know a friend, co-worker or family member who has been a victim of credit card fraud or identity theft.  What most people don’t know is that using a credit card at a restaurant is far more dangerous than making a purchase online.

According to statistics and industry experts the internet is actually a safer place to use a credit card than at a restaurant or bar. Data recorded by Visa since January 2005, states that restaurants made up over 40% of incidents in which criminals gained unauthorized access to credit card information.  This represents the largest percentage of incidents for any single merchant category. In addition, Ambiron Trustwave, a Chicago-based security company that conducts security audits for merchants, reported that 62% of the security violations it encountered during an18 month period of time occurred in restaurants.

So what makes the restaurant industry so vulnerable?  First, it is one of the last remaining settings where you give your card to an individual who actually leaves your site to process the payment. What happens from the moment a credit card leaves your hand and the moment it’s returned can be very unnerving.  

The Most Dangerous Employee

One of the most common tactics is called “skimming”.  This is where a restaurant employee uses a device called a skimmer to steal personal account information that is embedded in the magnetic strip located on the back of the card. Credit card skimming has become a worldwide problem with losses exceeding $1 billion a year.  It is estimated that 70% of these losses happen in restaurants.    

The list of restaurants that have been victim to skimming are endless. In April of 2007, seven restaurant employees were indicted in Orlando for skimming a number of cards from a local restaurant. They sold the credit card data to a middleman who then sold the information to a group making counterfeit credit cards in Miami. Similar incidents happen all the time in both metro and rural areas.  Criminals don’t discriminate between restaurant types either. It has affected pizzerias, casual dining restaurants and fine dining establishments alike. In many cases, criminals will pay restaurant employees to skim cards or sometimes become a restaurant employee themselves.

What may be most troubling is how easy it is to get a hold of skimming equipment. Everything required to pull this crime off is available to anyone who has internet access. A typical skimmer costs around $300 and the equipment to make a counterfeit credit card can be purchased for as low as $5000. If this wasn’t dangerous enough, there is another kind of skimming that effects restaurants using older terminals. How it works is a criminal will slide a small skimming bug into the terminal. The bug will then pull credit card data directly from the terminal and after a few days of transactions they will remove the bug and take off with the data.   

Another popular crime perpetrated by restaurant employees is called tip fraud.  This is when a server alters the tip when entering the final bill in the terminal or point-of-sale system.  A consumer could be charged an extra 75 cents, a few dollars or even more.  Unless the consumer cross-references their receipts with their monthly statement, the odds are they will never catch it.

How can this be stopped?

There are several precautions that a restaurant can take to protect themselves, and their customers, against these kinds of crimes.  The first step is to conduct thorough background checks on employees before they are hired. Once hired, dedicate a section in the employee manual to this subject along with a one-on-one discussion with every employee before they start work.  Be sure to convey that there are special checks in place to guard against these kinds of crimes and if an employee should ever be caught they will be prosecuted to the fullest extent of the law. Most of the time, these criminals will prey on businesses they feel are vulnerable and don’t have the measures in place to protect against skimming. If a restaurant conducts the proper screening on new employees and addresses their policy on credit card fraud in the interviewing and training process, it’s possible they can detract criminals.

Another solution that is gaining popularity, both with restaurants and consumers, is the use of wireless terminals.  These terminals allow consumers to pay at the point of purchase whether it is at the table or off-site in the case of restaurant delivery and corporate catering. Wireless payment systems combat fraud by keeping the cards in the consumers hand and never letting it leave their site. This eliminates the risk of skimming, provides the consumer piece of mind and offers the restaurant a more efficient way to accept credit card payments while expediting table turns.  Delivery restaurants, such as pizzerias, will also see a reduction in credit card processing fees by having the cards swiped instead of key entered

POS Systems - A Hackers Goldmine.

The next, and most dangerous vulnerability for restaurateurs, is the security of their Point of Sale (POS) and payment system. If a POS system is storing mag-stripe data they are unnecessarily exposing themselves to a possible compromise. All discretionary card data, card verification data, PIN data and address verification (AVS) data should not be stored by a POS system. Once an authorization is received the data does not need to be stored. Additionally, if the POS system is storing data such as cardholder name, account number or expiration date they need to ensure that the data is properly stored and securely protected.

There are a number of ways a restaurant POS system can be infiltrated.  For instance, many restaurateurs have the ability to access their POS system and data from a remote location such as a home office. If the tool that provides this access is not properly secured, it is possible for a hacker to get into the system and pull information from the POS.  On Visa’s website is a list of the top 3 POS system vulnerabilities.  At the top of the list is Remote Access Security. To ensure that a POS system is safe, restaurants should choose software created by validated payment-application suppliers.  Visa provides a list of validated suppliers on their website. Visa has also gone as far as publishing a memo that listed all of the POS software vendors who have been shown to store card data. The list includes several well known and widely used POS systems.

As with skimming, there are widespread examples of infiltrations of restaurant POS systems.  A perfect example is an Atlanta Bread Co. restaurant in Kansas City. When a hacker compromised their credit card processing system it tallied up a bill of over $25,000 and counting. They were threatened with fines up to $1 million and had $16,000 pulled from their bank account without notice.  This prohibited them from buying food for a period of time and then had to spend $7000 upgrading their POS system. Luckily, they were able to whether the storm and stay afloat.  Unfortunately, many restaurants maintain a very tight cash flow and such a blow could easily put them out of business.

In its restaurant report, Ambiron Trustwave said, “In a typical security breach at a restaurant, an attacker will steal cardholder information for approximately 40,000 cards – a far greater number than just a typical skimming incident and the individuals involved in these types of thefts are more than just rogue waiters.”  The report continued to say, “In many instances these attackers work for a larger international organization that uses the stolen information to create counterfeit credit cards.”  

Another example is Chipotle Mexican Grill.  Prior to August of 2004, the possible theft of customers card data led to approximately 2,000 incidents of fraudulent charges totaling $1.4 million, which the restaurant chain become liable for. Although the company has not been able to show with certainty that the data compromise occurred, it was left holding the bag.  It allocated $4 million to cover reimbursement of fraudulent charges, the cost of replacing cards, monitoring expenses and fines imposed by Visa and MasterCard. In their 2005 annual report it was disclosed that the fines from Visa and MasterCard totaled $1.3 million.  When factoring in legal fees, the total cost of this incident is in the range of $5.5 million. Later, the company determined that their software, a popular brand most of us are familiar with, had been retaining track data.  

That is exactly why the credit card companies are so worried about restaurant POS software. Since they can’t require software companies to abide by security rules, they apply pressure to the restaurant. In 2006, Visa fined merchants across all categories $4.6 million for violating security standards, up from $3.4 million the previous year. After September 30 of 2007 merchants who process more than 1 million card transactions annually are required to be validated as PCI compliant.  Failure to do so will result in fines from Visa of $5000 to $25,000 per month. Merchants of any size, no matter how small, who have security breaches will normally have to pay for cardholder losses on top of fines passed down from card companies. There are also assertions that the Federal Trade Commission can levy penalties that may go well beyond fines from the card associations.

If all of the fines and fees aren’t enough, we haven’t even considered the indirect costs related to software compromises and employee related theft.  What about the reputation of the restaurant? If any industry knows how unforgiving consumers can be it is the restaurant industry. Studies have shown that 40% of consumers might discontinue a relationship with a vendor if their credit card was compromised by that company. In the same study, another 20% said they had already stopped doing business with a company over that same issue.  If you take the classic marketing equation that a typical dissatisfied customer will tell 8-10 people and those people will tell 5 more people, you can be looking at a very damaging incident. Even more, a situation such as this will most likely catch local, and possibly national, media attention.
 
Another grave penalty that can be handed down is the termination of the merchant’s ability to process credit cards. Consider a recent Visa study that highlights the value of accepting electronic payments.  The study of 100,000 quick serve restaurant transactions showed that customers using payment cards spent an average of 30% more than those who paid with cash.  Other industry studies suggest that the average difference could be even more. Just about any restaurant these days has to accept credit cards because of consumer demand.  Consider that in 2005 56% of all in-store sales were comprised of electronic payment cards.  A majority of this growth is due to the popularity of debit cards.  In 2005, 14% of in-store transactions were made by signature debit cards and 19% by PIN based debit cards comprising 1/3 of all in-store purchases.*

* 2005/2006 Study of Consumer Payment Preferences

 

What is PCI?

In 2001, Visa launched the Cardholder Information Security Program (CISP).  This was designed to help merchants protect themselves and their cardholders.  In 2004, CISP requirements were incorporated into an industry standard, adopted by each of the credit card companies, know as Payment Card Industry Data Security Standard (PCI DSS).   Effective September 7, 2007, these standards are mandatory and must be met by all merchants that accept electronic payment cards. Compliance with these standards is on a strict schedule that breaks down merchants by their number of annual transactions.

The 12 basic requirements of PCI Data Security are:

  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored data with encryption and keep storage to a minimum
  4. Encrypt transmission of cardholder data and sensitive information across public networks.
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to data and limit access on a need-to-know basis
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data and destroy media containing transaction information when it is no longer needed.
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain an information security policy

 

Is PCI here to stay?

According to credit card processors, tens of thousands of restaurants are not complying with PCI standards.  It is expected that restaurants, especially the smaller mom-and-pops, will have a difficult time with PCI standards and the credit card security rules. The biggest challenge for any restaurant is that the owners and managers are too busy running the daily operations and they simply wear too many hats.  This makes it incredibly difficult to take time to act as a security expert. It certainly isn’t a topic on the top of mind for a typical restaurateur. That is until it actually happens.

It is likely that many restaurateurs are not even familiar with the dangers, liability issues and financial risks associated with identity theft and payment fraud. According to a survey conducted by Visa and the National Federation of Independent Businesses, most small businesses (57%) don’t see securing customer data as something that requires formal planning and many (39%) said they just rely on common sense to keep their data safe. These are alarming responses considering that 2/3 of merchants use credit card systems with insufficient security measures.

With many states looking to pass legislation that will enforce PCI and data security standards, it is inevitable that restaurants will see ever increasing pressure to comply and even loftier penalties if they don’t. Take for example the bill passed by the Texas state house of representatives in May of 2007. It was passed with overwhelming support by a vote of 139-0. This bill will formally codify PCI requirements into state law that merchants will be obligated to comply with. Under HB 3222 an entity that encounters a breach will have to reimburse banks and credit unions the cost associated with blocking and reissuing cards if the merchant was not PCI compliant.

This bill will give restaurants in the state of Texas a strong incentive to comply with PCI data security standards. According to the language of the bill, “a business that, in the regular course of business, collects, maintains or stores sensitive personal information in connection with an access devise must comply with payment card industry security standards”. With a state such as Texas on its way to passing a bill that will put PCI compliance into law, and other states ready to follow, there is no doubt this is an issue restaurateurs will have to face. 

In a consumer study by Javelin Strategy and Research, 60% of consumers see an increase in credit card fraud. Most commonly it has been assumed that credit card fraud is associated with making purchases online.  In reality, consumers face a bigger risk when they use their credit card at a restaurant.  This is a realization that restaurateurs will have to come to as well.  Even if you feel like you have an “unsophisticated environment” it doesn’t mean you are not vulnerable to hackers and criminals. All the facts and prior cases point to the contrary. Hackers and criminals concentrate on the smaller merchants because this is where they see the greatest vulnerability. 

The Final Analysis

PCI compliance, data security standards and the financial risks associated with not complying are all very real. Every sign points to this issue becoming a greater concern to consumers and even more closely regulated by card associations, government agencies and by state and federal laws. In an April 2007 article, Martin Elliott, vice president of emerging risk for Visa USA said, “we’re clearly in an environment today where it makes good business sense to protect sensitive information such as cardholder data.  Why? Because customers have trust that their cardholder information is safe and kept in a secure manner.”

They say it only takes one bad experience to lose a customer. With cardholder data, it only takes one compromise to lose a business. As a restaurateur you pay careful attention to every detail that you believe is important to your customers. This includes the purchasing, storage and handling of quality ingredients, careful preparation of every meal and striving to offer unforgettable customer service.  Everything you do is to build a great reputation, satisfy your customers and keep them coming back. By showing that same care and diligence to how you handle their cardholder data you will not only protect your business you will ensure that your customers are protected as well.

BankCard Central

 

Contact | Resource Center | Marketing Office | Resturant Alliance | About Us | Join | Site Map | ROR Info | Resources
 
All Rights Reserved RestaurantPartner.com ©2007