How Can Restaurants Protect Themselves from Data Breaches?

By Chris Gray ·

Last week, ABCNews.com published an article discussing a new study in which Visa identified restaurants as the most likely sources of credit card theft.  An estimated 40 percent of all credit card theft occurs at these dining locations – more than any other location.

Multiple factors make restaurants preferred targets.  With over 935,000 retail food outlets in the United States, the restaurant industry services more than 192 million customers daily. To address security issues, major eatery chains must make an incredible effort to make changes to the existing systems and infrastructure across the nation. If the resources to make these modifications are not made available, this can lead to the use of older, less secure, and inconsistent implemented systems and applications.  Some business models support both corporate and franchise operations, further increasing the likelihood of inconsistent controls.  Lastly, for most people, restaurants are likely the only merchants that regularly accept customers’ credit cards and physically remove them from the sight of their owners during processing.

How can corporations and individual restaurateurs address these problems and make their customers’ data more secure?

It is easiest to reduce the opportunity for credit card compromise when you realize that thieves cannot take what you do not have.  The Visa study indicated that restaurant organizations were retaining excessive cardholder data.  Wherever possible, companies must ensure that they retain the absolute minimum number of sensitive data elements.  All other instances of cardholder information should be decreased, reducing the attack surface for malicious activity.

As companies that succeed or fail based on customer satisfaction, food service organizations often attempt to find new ways to improve the overall customer experience.  In some cases, offerings such as complimentary WiFi access can actually lessen the security of the environment.  Companies must evaluate new or improved services that they offer to their clientele against the risk that these opportunities may offer.  By practicing proper risk-based decision making, the organizations can identify ways to make their customers’ time in the restaurants more enjoyable while still offering effective safeguards against cardholder data compromise.

Although many companies required to comply with standards such as the Payment Card Industry’s Data Security Standard (PCI DSS) agree that the requirements are often difficult to satisfy, these organizations also agree that compliance increases their ability to protect their customers’ information.  Consistent application of the provisions of the DSS will greatly increase the overall security and resilience of the dispersed networks so common amongst restaurant brands.  A recent article in StorefrontBacktalk.com references how the most recent PCI compliance reports, however, show that, even with the increased concern over cardholder data theft, the overall compliance rates have remained relatively consistent.  Whether the restaurant is family-owned or part of an international food service chain, every effort should be made to achieve consistent, effective compliance and improve these rates.

Finally, while most thefts occur by system compromise, employees are still a potential risk. Security awareness training teaches personnel how to act and, often even more importantly, how to recognize when things are not being done properly.  As the front line representatives of the restaurant, the employees are the most effective defense against many compromise vectors.

Chris Gray

Vice President, Enterprise Security and Risk

Chris Gray is the vice president for Optiv's enterprise security and risk practice with over 15 years of experience in information technology, information security and information risk management. He leads the team in achieving customer requirements with implementing information security, risk management and compliance management programs.