On the Menu: More Security
Payment Security in the Restaurant Industry
Recently, the National Restaurant Association co-hosted a chat via its Twitterfeed, dealing with issues of payment security. This is of particular concern to NRA members, since many of the most headline-grabbing hacks have come at eateries, like PF Chang’s, Dairy Queen, and other food establishments.
Evolving Threats in Payment Security
According to the Greensheet, data thieves are shifting away from the “traditional” method of using payment card information for purchases during the brief period before detection. Instead, they are increasingly focused on obtaining personal information. Their aim is to create duplicate profiles of victims, open new accounts (sometimes depleting existing ones), and frequently engage in activities like applying for benefits or tax refunds in the victim’s name.
Steps to Protect Customer Information
During the chat, the moderator queried participants about the measures that could enhance the protection of customer information in restaurants (and possibly other establishments). Some of the recommendations they proposed included:
- Limit employee access to sensitive data. Make access on a “need-to-know” and “when-to-know” basis.
- If it’s paper, shred it, and if it’s digits, use Bleach Bit or some other program to virtually shred it!
- When possible, use tokenization instead of transmitting raw and unencoded customer data.
- Comply with all Payment Card Industry security standards. Remember, it’s the merchant’s responsibility to provide security at point-of-sale.
Ensuring Comprehensive Security
Other recommendations included protecting both hardware and software, with up-to-date virus software, and password-protection, and being sure to encrypt all cardholder data as soon as possible, at the earliest point in the transaction – which is to say, the time of payment card swipe, tap, or insertion. This latter piece of advice became, perhaps, even more critical in light of an article that Forbes ran, right before the chat was held, saying that an Australian security consultant had created an “Android App Clones Contactless Credit Cards In Seconds.”
Understanding NFC Card Cloning
It operates in the context of “NFC” or “Near Field Communication” transactions where cards are tapped, among other methods. This occurs with EMV or chipped cards that include magnetic stripes as a backup, particularly in situations where the chip remains unusable. Then, the “app scans the card and takes the ATC (or ‘transaction counter’) data. The app also contains a look-up table, or a dictionary, that matches all possible ‘random’ numbers the payment terminal might provide with the corresponding transaction counter number. At that point, the app has all the data it needs and can start making transactions. The clone is complete.”
Urgency in Protecting Cardholder Data
As Greensheet reported about the NRA’s Twitter chat, there is, currently a “sense of urgency restaurant owners and payments industry stakeholders share in addressing the current threat environment and protecting the integrity of cardholder data.”
If you’re feeling a similar urgency, be sure to contact your AVPS Rep, to see what your security and payment options are, for customers using everything from payments “on the go,” to “retro” implements like written checks!
Once you know your business is secure, and up-to-date, you can glance at the menu again — for dessert!