Operating a large enterprise restaurant is a complex undertaking with many moving parts, including booking events, managing staff and even managing multiple locations or franchises. But one thing that is becoming increasingly top of mind for management and executives is payment security, as news headlines remind businesses of the consequences of a data breach.
Today, restaurants have more vulnerabilities than ever before. While digital channels are creating new opportunities to increase sales and reach new customers – such as through online/mobile ordering and third-party integrations with delivery services – they also create new ways for hackers to potentially gain access to confidential payment information. While the point-of-sale system is the central hub used to help manage restaurant operations it is also the most common point of access hackers use to infiltrate businesses in the food service industry.
Unfortunately, there is money to be made with stolen payment card information on the black market, so it’s no surprise that research shows payment-related cybercrime is on the rise. The average number of fraudulent transactions attempted per merchant is up 34% from 2013 to 2016,i and the cost of a single data breach is up to $3.86 million.ii Nearly a third of all businesses will have a recurring breach over the next two years.iii
Fortunately, digital technologies are also providing many of the tools needed for defending against hackers. If you’re concerned about protecting your restaurant’s reputation and your customers’ sensitive payment card data, here are a few practical and actionable tips:
1. Work closely with your Payment Processor and Point-of-Sale system providers. Since we know that the POS system is the number one point of access for criminals, it’s critical that you work with your POS provider to ensure you’re using the most updated version of the software. With cybercriminals becoming more skilled and sophisticated, you need the peace of mind that comes from knowing your POS system has the latest technologies and patches installed to help safeguard cardholder data.
Your payment processor can help you with ensuring you have the recommended security layers – EMV, encryption and tokenization. EMV prevents fraud during in-person transactions by equipping cards with an embedded chip. When tapped, keyed or inserted into a payment device, algorithmic calculations and uniquely generated codes for that transaction will authenticate that the card is legitimate.
Encryption translates sensitive card data into unreadable codes that cannot be used or deciphered by anyone who doesn’t have the proper decryption keys. Card data stays encrypted in transit from the merchant’s payment device to the payment processor, where it is decrypted using a special key and routed to the issuing bank for transaction authorization.
Tokenization is a companion to encryption that replaces the original card data with a token. Once a transaction is authorized, the processor returns a token to the business or merchant which can safely reside on their payment system. A layered approach to security that combines all three measures gives your restaurant the best protection.
2. Teach your employees prevention strategies. Large restaurants have many employees in various roles that could expose sensitive information. Office employees may click on a suspicious link in an email or fail to password protect their desktop. And even though your front and back of house staff may not have access to any of your computers or files, chances are most of them are connected to your restaurant’s Wi-Fi on their smartphones – which means their devices could offer many entry points into your system.
That’s why it’s important to train your employees to understand and follow appropriate security protocols. Some best practices include making passwords complex and changing them regularly, scrutinizing email and deleting suspicious messages, screening websites, installing antivirus software, and being careful about who they engage with on social media.
Of course, these same guidelines apply to management and owners. In addition, you want to keep your software current, always applying updates to your software, phone and computer operating systems, and antivirus systems at home and work. Don’t forget to also back up your data. If you do fall victim to malware or ransomware attacks, having everything backed up offline will help with recovery much more quickly.
3. Consider a holistic approach to security. For optimal protection, experts recommend making sure everything from your devices to applications and processes are secure. One way to do this is with PCI-validated point-to-point encryption (P2PE). It may sound complicated, but all it means is that the solution has been rigorously evaluated by an independent assessor and verified as meeting the requirements necessary for merchants to reduce the scope of their cardholder data environment. For example, a PCI validated P2PE solution ensures that your restaurant payment devices, applications and processes have the proper security processes in place, and there are no vulnerability points. It assures devices have been protected during shipping and transportation (such as with tamper-evident packaging), and assures physical security by reviewing inventory logs, among other things.
Since the independent assessor is brought in by the PCI Security Standards Council to audit a solution from top to bottom, choosing a validated solution reduces your efforts required to achieve PCI DSS compliance.
With the right tools and investments, payment security is something you can rest easy about, allowing you to focus on expanding your business and satisfying your customers. Find more information on safeguarding your restaurant from fraud and hackers at www.elavon.com/cybersecurity.
About the author: As the Head of Strategic Markets -- Restaurants, Doug Riepe is focused on the restaurant vertical at Elavon. He leads a team of national sales directors and client executives who are focused on enhancing and accelerating payments for the restaurant industry. Riepe brings with him a wealth of knowledge and experience working with Fortune 100 brands with a keen eye on partnerships and customer service. Prior to joining Elavon, he worked in the sports and entertainment industry managing national sales and sponsorship for a professional sports team.
i LexisNexis True Cost of Fraud Study
ii Ponemon Institute: 2018 Cost of a Data Breach Study
iii Ponemon Institute: 2018 Cost of a Data Breach Study