On this blog we explore the challenges around security of payment data during the hectic holiday season and provide tips and best practices to help restaurants better secure their payment data. The following is a Q & A with Troy Leach, Senior Vice President of the PCI Security Standards Council and Laura Chadwick, Program Director, Technology & Innovation of the National Restaurant Association about the importance of cybersecurity this holiday season.
Why is awareness of protecting payment data so important for the restaurant business?
Laura Chadwick: We know that cybersecurity isn’t why people get into the restaurant business, but it’s emerging as one of the biggest risk factors for our industries reputation and bottom line. The threat is growing, so you need to take steps now to protect your business. Hackers know that you face time and resource constraints. They prey on businesses that are ill-prepared for an attack. That’s why an ounce of prevention is worth a pound of cure. Just as you have made food safety an integral part of your quality assurance program, you need to also make cybersecurity a part of your operation. Improving security is a lot less expensive than dealing with a data breach.
Why is the holiday season a potential risk for restaurants and small merchants?
Laura Chadwick: The holiday season is the busiest time of the year and can be overwhelming. It is the time of year where a restaurant can get so busy that they let their guard down when it comes to payment security practices. Criminals know this and look to exploit this busy time of the year. In some cases, cyber criminals who have identified vulnerabilities in the payment system of a business, wait until the holiday season to exploit it in the hopes the busy shopping season provides them cover to slip in and out of your payment system without being detected until it is too late.
This holiday season is expected to be especially hectic as an increase is holiday sales is estimated to grow 3.8%-4.2% over 2018. That means more sales but it also means more opportunities for criminals. This is the time of year when some businesses put off patching, fail to monitor remote access security protocols, and delay payment security issues until next year. As we have seen too often, businesses who do not prioritize payment security during this time, end up being breached. Making payment security a holiday priority is important and should be part of your holiday business plan.
What tips and best practices should restaurants be aware of during the busy holiday season?
Troy Leach: There are many things a restaurant and small business can do to better protect themselves during the holiday season. The PCI Security Standards Council suggests the following tips for merchants this holiday season:
- Be alert – Be on notice that attacks could happen. Too many small businesses such as a family owned restaurant do not even think of themselves as being a potential target. Today, businesses of all sizes need to take payment security seriously. The attacks are automated and do not discriminate on the size of the organization. Small merchants are particularly vulnerable.
- Passwords – Make sure you eliminate all default passwords and use password of good length and complexity. Weak passwords are one of the leading causes of data breaches. This is one of the easier things to fix. Don’t let the criminals have easy access to your payment systems because of something as simple as a poor password. View an infographic on strong password practices for more information.
- Patching – This has made headlines in recent years with several data compromises as a result of not updating to the newest version of software. Stay up-to-date on the latest patches that are available for known vulnerabilities. Do not put off patching until after the holiday season. If you have a vulnerability, after the holidays will be too late. The criminals are counting on you to put this off until next year, make it a priority now. Take a look at this resource for more information on patching best practices.
- Remote Access – Pay particular attention to third party access to your payment data system, the privilege level of that access and removing access when no longer needed. This requires monitoring and vigilance. This resource on secure remote access has more information.
- Inspect Payment Devices Regularly – For in-restaurant payment devices, have employees inspect point-of-sale payment terminals every day as skimming devices could be added in the matter of seconds. A good practice is to inspect the terminals at the beginning and ending of each shift. Enlist the help of your employees who are the front line of defense against point-of-sale terminal tampering.
- Train your temporary employees – The busy holiday season is a time when many employers hire additional, temporary staff. Make sure your temporary workers are well trained on good payment security practices and are on guard for fraudsters during this hectic season.
Where can restaurant owners and managers get more information about ways to better secure their payment data?
Troy Leach: The PCI Security Standards Council has free, dedicated resources designed to help small merchants like those in the restaurant business to better understand the threats they face and the good security practices that can help them to better protect themselves and their customers.
Laura Chadwick: Likewise, we at the National Restaurant Association have put together materials designed to help those in the restaurant industry better understand cybersecurity risks and provide helpful tips. Those resources represent a great starting point for restaurants who are looking for guidance when it comes to implementing good cybersecurity practices.
Helpful Resources from PCI Security Standards Council and the National Restaurant Association:
- PCI Security Standards Council's Small Merchant Microsite
- PCI Security Standards Council's Guide to Safe Payments
- Cybersecurity 101: A Toolkit for Restaurant Operators
- Cybersecurity 201: The Next Step
- Watch (English): Troy Leach talks about cybersecurity around the Holiday Shopping Season
