The unfolding digital world has created golden opportunities for those in the restaurant business. From mobile apps to online ordering and reservation platforms, the newer generations are coming to expect these convenient services. Unfortunately, there is a dark side. While overall fraud rates this past year increased by 13 percent, the food and beverage industry saw an increase of 60 percent. In fact, one data breech is happening every day.
Here are just a few of the companies that have been hacked in recent years:
- Equifax. In 2017, 143 million customers experienced compromised data. One lesson to learn from this company is how not to address data breach. During the recovery, they accidently directed clients to a phishing scam posing as a security site.
- Chipotle. This is yet another company that many questioned their action in light of a serious hack in 2017. In April they reported unauthorized activity on a network that supports payment processes. When CNNMoney requested information regarding the scale of the attack in May, a spokesperson said, “Most, but not all restaurants may have been involved.” Now that’s reassuring.
- Sonic. Once again, another company, cybersecurity expert Krebs, reported that 5 million Sonic customer’s credit card information was put up for sale on Joker’s Stash—a cybercrime website—before Sonic confirmed the breach. To their credit, they did offer affected customers two years of free fraud and identity theft detection.
- Panera Bread. The big faux pas Panera Bread faced when it leaked personal information on millions of customers that included their email and physical address was how the company reacted post breach. While first notified of the situation in August of 2017, no action was taken for eight months.
The common thread that runs through these data breaches is this: Not only is it important to protect your customer’s personal data, how you react once it’s been stolen reveals your moral compass and either increases or significantly reduces the level of trust your clients will place in you and your business.
Protecting Yourself and Your Customers
Fortunately, there are preventive measures to put in place before credit card numbers, online accounts, and other private information is stolen, or stolen credit card numbers are used to purchase product. Here are just a few:
- Use an EMV Reader. Since April 2018, when the EMV liability shift went into full effect, businesses (not banks) are liable for fraudulent charges over $25. This occurs if your business swipes an EMV or chip-based card instead of using the chip reader. While slim margins make it difficult for some restaurants to implement this technology, fewer security measures make it easier for people to use stolen cards and commit “friendly fraud.” This occurs when scammers contest charges made with authentic EMV cards at restaurants that do not have EMV readers. According to chargebacks911, 86 percent of all chargebacks are fraudulent.
- Make Sure Your Mobile App Integrates with Your POS System. Ease of use increases both employee performance and customer satisfaction. And they are also safer. A mobile payment does not transfer your customer’s data, only a coded version. Keep in mind that mobile apps do have vulnerabilities including possible malware infections or exposure via rogue Wi-Fi hotspots.
- Become PCI Compliant. As you know, if you accept credit cards, you must maintain a secure environment as deemed by the Payment Card Industry Data Security Standard in order to prevent fraud and data breaches. The PCI DDS Compliance Self-Assessment Questionnaire is a checklist created by the PCI Security Standards Council that can help you validate your PCI compliance. It boils down to these basics:
- Maintain a secure network—Install firewalls that help protect data from leaving your network and change default passwords.
- Protect cardholder data—Use tokenization or encryption when transmitting card data. Both of these processes ensure that the card number is not stored on-site and is protected from hackers.
- Control access—Restrict access to a need-to-know basis. Assign an ID to each person with computer/POS access. Track and monitor all access.
- Monitor and test networks and security systems—Work with your IT team or host provider in order to make sure your security protocol is working as planned.
- Maintain an Information Security Policy. Examples of these types of written policies abound on the internet. Check out PB&J Restaurant’s
- Set up malware protection—Use up-to-date anti-virus software.
Now that you have a solid secure line of defense in place, make sure to create a crisis plan should the unthinkable happen and your customer’s data is breached. Quickly minimizing damage and restoring trust is key to your brand’s reputation.