Headache or not, improving card data security a necessity, panelists agree

Headache or not, improving card data security a necessity, panelists agree

ATLANTA —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

That was the upshot of a panel discussion about the controversial Payment Card Industry Data Security Standards, or PCI DSS, during the International Foodservice Technology Exposition, or FS/TEC, here. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

As troublesome or costly as meeting PCI DSS requirements or otherwise securing data networks and in-store systems might be, failing to act could cost more, said panelist Nick Ibrahim of Maryville, Tenn.-based Ruby Tuesday Inc [3]. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

“If you’re a chain, and you have a security breach, you’re done,” said Ibrahim, chief information officer for Ruby Tuesday’s 930-unit, namesake casual-dining chain. “[Card issuer] fines will be the least of your concerns. Fifty [percent] to 60 percent of the business in casual-dining restaurants is done through credit cards. Nobody can afford to have customers stop coming in because they’re afraid to use a credit card.” —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

The PCI DSS standards were developed by a council formed by five major credit card companies: American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

Bob Russo, general manager of PCI security for the standards council, called the development of PCI DSS a milestone, and explained that it contains 12 requirements for operators seeking to come into compliance. Among the requirements are the need for merchants to “install and maintain a [network] firewall” and encrypt any cardholder data transmitted across open, public networks. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

Russo said the council does not prescribe any particular system for operators attempting to secure their data. Rather, it is up to each operator how he chooses to comply with the standards. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

However, Tracy Libertino, managing director, consulting for Accuvia, said many operators are confused about what is required of them under the new standards. “A restaurateur will come to us and say they have to fill out a questionnaire, and they just missed the deadline,” Libertino said. “Suddenly the bank is telling them that their fees are going to be increased” for noncompliance. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

Terence McCarthy, senior channel manager for data security consultant and auditor, TrustWave, agreed that confusion among operators is common. “Most don’t understand what [data] they’re storing” in point-of-sale systems, he told FS/TEC attendees. “In the 300 forensic cases we’ve been involved in, we’ve often found ‘track data’ in the system—and the merchants don’t even know it’s there.” —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

Libertino concurred that many operators are not aware that their systems are storing data from the magnetic stripe on the back of a payment card, or so-called “track data.” Track data include cardholder names, account numbers and encrypted personal identification numbers. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

“If you have track data stored” on an unsecured computer or network, she said, “someone can steal customer data.” —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

Ruby Tuesday’s Ibrahim summed up the attitude of some operators toward the new standards when he called himself “a victim just like you guys.” Many operators have complained that the standards are vague or “a moving target” for which achieving compliance is costly because it can entail upgrading network or POS components and incurring third-party audits. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

After examining the challenge of complying with the new standards, Ibrahim said his company decided to eliminate card data storage in its restaurants and at headquarters. Among other things, the chain’s new security strategy includes using AES encryption, dealing directly with the company’s merchant bank to bypass middlemen credit card processors and using transaction authorization numbers made up of three hash marks and the last four numbers of the payment card used. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

“We took it to the extreme,” Ibrahim said. “We don’t keep any numbers in the system.” —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

He said one benefit from the changeover is that Ruby Tuesday’s auditors have less work to do in their quarterly and annual audits, which enabled the chain to negotiate lower prices. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

Though he is not looking forward to securing wireless networks and portable payment terminals, Ibrahim said the need to block card data skimming by larcenous employees might soon make tableside transaction settlement the norm. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.

McCarthy of TrustWave said his company has yet to be called to conduct a forensic investigation, or inquiry after a data breach, by a business that is PCI DSS compliant. “So compliance does work,” he said. —Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the industry.