How to Avoid Costly Data Breaches

We recently published a blog post regarding the effect of data breaches on small business. Last week, data security was in the news again when PF Chang’s confirmed that it had been the target of a data breach involving customers’ credit and debit card numbers. This news comes on the heels of many other high profile breaches including the massive one that hit Target late last year. These breaches reinforce the results of the recent Verizon Data Breach Investigative Report, which showed that the hospitality industry, especially small restaurants, had the highest number of breaches among all the industry segments measured in both 2011 and 2012, and retail, again mostly smaller operations, was the most targeted industry in 2013. What is perhaps more frightening about the PF Chang’s breach is that it went undetected for perhaps nearly a year, is not clearly understood in terms of the size and scope of its effects—except to point out with assurance that these problems can impact your reputation whether you’re a large operation or small.

POS systems have proven to be prime targets for hackers and data thieves so the restaurant and retail industries need to emphasize preventative actions. In addition to maintaining PCI Compliance, there are a number of steps you can take to protect your business from a costly data breach. We have listed some best practices below:

  • Restrict remote access
    • There was an increase in stolen vendor credentials in 2013. One of the biggest problems was the use of the same password for all organizations managed by the vendor. Limit any remote access into POS systems by third-party management vendors to reduce this risk.
  • Maintain customer privacy
    • Full credit card numbers should never be stored in plain text. Ensure that your terminal is truncating card numbers and only showing the last four digits on receipts. Additionally, Visa® and MasterCard® regulations prohibit merchants from recording personal information on the sales receipt/draft. This information in conjunction with the account numbers listed on the sales draft could be used to commit fraud. Keep cardholder account and personal information separate and under tight security. It is extremely critical that CVV2 card validation numbers are not written, recorded or stored electronically nor manually under any circumstances. Also, credit card numbers or cardholder account information should never be transmitted via email or unsecured gateways.
  • Do not log PIN numbers
    • Although PINs are protected in an encrypted or enciphered form within a transaction message, they must not be retained in transaction journals or logs subsequent to PIN transaction processing.
  • Enforce strong password policies
    • Make absolutely certain that all passwords used for remote access to POS systems are not factory defaults, the names of your POS vendor, dictionary words or otherwise weak. If a third party handles this, require and verify that this is done.  Make sure they are not using the same password for other customers.
  • Restrict personal use on your business equipment
    • Do not browse the web, email, use social media, play games, or do anything other than POS-related activities on POS systems.
  • Make sure any online access to your reporting or POS management is always SSL protected
    • PCI requires adequate encryption of credit card holder information while being transmitted and at least 128-bit encryption must be used. The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.

As more and more restaurants start taking these actions, hopefully the industry will be a little less vulnerable. Regardless of the statistics, what’s important is that you’re not one of them.