On the Menu: More Security

Recently, the National Restaurant Association co-hosted a chat via its Twitterfeed, dealing with issues of payment security. This is of particular concern to NRA members, since many of the most headline-grabbing hacks have come at eateries, like PF Chang’s, Dairy Queen, and other food establishments.

As reported by the Greensheet, rather than carrying out the “traditional” hacks, wherein payment card information is used for purchases during the brief window before the infiltration is discovered, data thieves are more and more interested in personal information, in order to create duplicate profiles of the victims, to open new accounts (or drain them!), and often, apply for benefits, tax refunds, etc., in the victim’s name.

The moderator of the chat asked participants what steps could be taken to better protect customer information at restaurants (and presumably other establishments). Among the tips they came up with were:

* Limit employee access to sensitive data. Make access on a “need-to-know” and “when-to-know” basis.*Destroy any such information when it’s no longer needed. If it’s paper, shred it, and if it’s digits, use Bleach Bit or some other program  to virtually shred it!

*When possible, use tokenization instead of transmitting raw and unencoded customer  data.

*Comply with all  Payment Card Industry security standards. Remember, it’s the merchant’s responsibility to provide security at point-of-sale

Other recommendations included protecting both hardware and software, with up-to-date virus software, and password-protection, and being sure to  encrypt all cardholder data as soon as possible, at the earliest point in the transaction – which is to say, the time of payment card swipe, tap or insertion. This latter piece of advice became, perhaps, even more critical in light of an article that Forbes ran, right before the chat was held, saying that an Australian security consultant had created an “Android App Clones Contactless Credit Cards In Seconds.”

It works with “NFC,” or “Near Field Communication” purchases where cards are tapped, etc. This happens with EMV, or chipped cards, that have magnetic stripes as back-up, for places where the chip still can’t be used. Then, the “app scans the card and takes the ATC (or ‘transaction counter’) data. The app also contains a look-up table, or a dictionary, that matches all possible ‘random’ numbers the payment terminal might provide with the corresponding transaction counter number. So when the random number is taken in by the app, it looks for the corresponding ATC and CVV values. At that point, the app has all the data it needs and can start making transactions. The clone is complete.”

As Greensheet reported about the NRA’s Twitter chat, there is, currently a  “sense of urgency restaurant owners and payments industry stakeholders share in addressing the current threat environment and protecting the integrity of cardholder data.”

If you’re feeling a similar urgency, be sure to contact your AVPS Rep, to see what your security and payment options are, for customers using everything from payments “on the go,” to “retro” implements like written checks!

Once you know your business is secure, and up-to-date, you can glance at the menu again — for dessert!

Leave a Reply

Your email address will not be published. Required fields are marked *