By Christy Simo
At the Georgia Restaurant Association annual meeting in June, several experts in the POS industry sat down to discuss why it’s so important for restaurants in Georgia to validate compliance with PCI requirements, some tools to help you, and what’s on the horizon. Here is a synopsis of their conversation.
According to 2012 Verizon report, 54 percent of data breaches in the past year have been in the hospitality industry, and that’s increased over prior years.
“You are a restaurant. You want to serve people and make them happy,” says Brett Lockwood, partner with Smith Gambrell & Russell who chairs the firm’s Technology Transactions Practice.“But you also have PCI security data issues to deal with, and that’s just the reality.”
“It really is important to check your business financially,” says Larry R. Godfrey, director of sales engineering for Heartland Payment Solutions. “Your customers are trusting you with their data. It really is your job to protect that.”
The Current Dangers
The main issue in today’s hacker and credit card theft world is that the U.S. still uses a credit card with a magnetic stripe – that black bar on the back of every card.
“What makes it so dangerous is that all your personal data is stored on that mag stripe, such as your name, your phone number, your address,” says Walt Davis, general manager of Retail Data Systems Southeast. “As a restaurateur, you’re responsible for protecting your consumers just as much as some of these big companies.”
In 2002, credit card theft reach epidemic levels in the U.S. So in 2003, Congress passed the FACT Act (Fair and Accurate Credit Transactions Act), which prohibited businesses from printing more than five digits of any customer’s credit card number or expiration date on a receipt.
If a breach occurs, you have the option to do nothing, but it could ruin your business. In a nutshell, your bank will contact you that they have detected a credit card breach that has originated at your restaurant. You’ll contact your internet provider and credit card processor, and you’ll be required to stop processing credit cards immediately. You may have to pay a forensic auditor, who will find your security holes.
“That forensic audit is going to cost you anywhere from $8,000 to $12,000 minimum,” Davis says.
You’ll also contact your POS provider, and they will have to re-secure the site. You’ll have to buy a brand new computer server, because your old server is now evidence of a federal crime and is now federal property.
Not only that, but if you are a small business that experiences a breach, you will then be treated as a Tier 1 company to ensure measures are taken to keep a breach from happening again.
“Tier 1s have to go through this validation process every year that can cost tens of thousands of dollars. Even if you’re a Tier 4 that suffers a breach, you’re going to be held accountable for doing that for some time in the foreseeable future,” Godfrey says. “So if you want to take cards after the breach, you’re going to be treated like a Tier 1. You’re going to have to pay a company to come in and do an audit every quarter.”
Davis notes that on top of these costs, the restaurateur is also liable for the fraudulent charges – i.e. they are the one who must pay the customer back for the charges that showed up on their credit card statement.
Still, one of the most prevalent ways to steal credit card information today is through a RAM scraper, which accesses the credit card data on your RAM at the moment before it is re-encrypted. The criminal can use many ways to access your computer and install malware, including obtaining passwords or accessing your computer via Facebook or email. “This is the most common pattern of theft that’s being used in most restaurants,” Davis says.
“Why should you care about credit card fraud?” asks Davis. “Because you, the merchant, will be held responsible. Not your bank, not your POS provider, and not your credit card company.”
And that can get expensive.
There are four tiers of merchants based on the number of transactions they do annually. Most restaurants, aside from national chains, fall into Tier 4. While Tiers 1 through 3 are required to validate 100 percent compliance, they must spend hundreds of thousands of dollars to do so. Independent businesses like most of the restaurants in Georgia, however, cannot afford to spend that kind of money to validate compliance. But it’s important that they do so. The restaurants are expected to self-assess themselves and are still held liable if fraudulent activity occurs.
“The reason you have to do it is when you sign your merchant agreement with your credit card processor, regardless of who that processor is, there’s a section on data security and privacy,” Davis says. “It clearly states that you are to do the following things to be compliant: You’re supposed to have a firewall, you’re supposed to have data security, and you’re supposed to complete a self-assessment questionnaire.”
The catch-22 is that they will not ask you for proof of these things until a breach has already occurred.
“Most merchants totally underestimate credit card fraud and the consequences that follow,” Davis says. “Those fines cover the costs banks incur when they have to reissue the cards,” Godfrey says. “But the main cost is the buyback. Not only do you incur these costs, you’re responsible for paying back that consumer who had that fraudulent charge filed against them. So that, a lot of times, is the biggest expense.”
For these reasons and more, it’s so important to validate your compliance now and not after a breach occurs – not just for monetary reasons, but for your restaurant’s integrity.
“There are companies out there who will help you with the compliance aspects,” Davis says, “but nothing can help with the loss of your brand.
“This is serious business,” Davis says. “It is not about filling out these forms just to make the processors happy. Validate your compliance. There is no other option. As a restaurateur, you owe it to yourselves, your merchant and your customers to protect their data.”
Thankfully, there are several new technologies on the horizon that can help restaurants protect their customer’s data better. One has been around for more than a decade in Europe and is headed our way this spring.
“The primary thing about the European payment system is the microprocessor chip that’s embedded into the cards,” says Mike Seymour, COO of Postec.
Known as EMV (Europay, Mastercard, Visa), the processing system reads a 1” square chip in the corner of the card when you insert the card into the reader.
“The chip card systems based on EMV are being phased in across the world with names such as IC credit or, most commonly, Chip and Pin,” Seymour says, adding that 30 percent of payments worldwide today are EMV payments.“What that refers to is the microprocessor chip that’s embedded in the card, plus the four-digit pin that the consumer enters at the time of the transaction, like you would in the U.S. with a debit card transaction.”
Sixteen years after the development of the EMV and 12 years after its launch in Europe, Visa announced plans in October 2011 to push the U.S. toward adopting the EMV standard, and Mastercard has also followed suit, Seymour says. The initial push by Visa is to have all credit card processors in the U.S. support EMV by April 1, 2013.
“In dollar terms, credit card fraud represents nearly 7 cents for every $100 of debit or signature transaction in the U.S.,” Seymour says. “Based on EMV rollouts in other countries, fraud can be expected to drop by 50 percent or more once the transition is complete.”
Are EMV and smart cards enough to completely protect your business when they come online next year? Not necessarily. “Smart cards will prevent someone from using a fraudulent card. It’s much more difficult to make a counterfeit smart card than it is to make a counterfeit mag stripe card. Hopefully it will cut down on the amount of cards that come into your business that are fraudulent,” Godfrey says. “That’s really the power behind the EMV and smart cards.”
The transition won’t happen overnight, Seymour cautions. “Everybody’s going to have to replace all their card readers,” he says, adding that for a while, the readers will be able to accept all kinds of cards as the country transitions. “Ten, 15 years from now, mag stripe cards will be extinct.”
For now, there are still several things you can do to protect your restaurant from hackers and credit card thieves – and for good reason.
“A lot of folks think that hackers are just going after big business,” says Heartland’s Godfrey. “But what’s happened over the past few years, is that [large] Tier 1 merchants have done a pretty good job of securing their networks and systems, so really where the hackers are going now is where the doors are unlocked. They know with a lot less effort, they can get into a smaller business.
“They’re not going to get as much data back, but it’s a lot easier for them,” Godfrey says. “So that mid-tier merchant, with 11-100 employees, is really right in the crosshairs of the hackers.”
Along with the Chip and Pin card, tokenization and anti-encryption are two other methods that can help reduce the risk of your restaurant being hacked.
“The important thing to know about these technologies is that they’re not mutually exclusive of each other,” Godfrey says. “In fact, using all three is the way to really protect your system.”
Tokenization adds an extra layer of protection to your customer’s data. It’s similar to encryption, except it virtually can’t be cracked.
“There’s no mathematical correlation between that code and the original value, so there’s no way you can figure out that original card number from the token,” Godfrey says. He says this type of protection cannot protect you from customers using fake credit cards, but “it’s great when you have to hold on to that card number after the fact.”
Anti-encryption, aka point-to-point encryption, encrypts the card data as soon as the card is swiped.
“It’s tamper resistant,” Godfrey says, noting that it works best against RAM scrapers. “If somebody went in there and tried to mess with it, it would just wipe itself out. If you’ve got something hackers want, and that’s the credit card data, what encryption
does is it removes the value. So even if they do get in, there’s nothing of value to steal.”
Where is all this headed? While the Chip and Pin cards are coming our way next year, many experts predict that, ultimately, using our smart phones to pay for things will be most popular.“If you ask me, I think smart phones is where we’re going to go,” Godfrey says.
“The consumers are going to drive some of that. I think the younger generation especially wants that ability,” Seymour says.“When you look at the percentage of smart phones and how that’s increased over the past few years, my personal feeling is that yes, that’s where we’ll end up.”