ATLANTA Operators and their technology suppliers must come to grips with new payment card data security standards, as card fraud and identity theft continue to pose an increasingly serious problem for the foodservice industry.
That was the upshot of a panel discussion about the controversial Payment Card Industry Data Security Standards, or PCI DSS, during the International Foodservice Technology Exposition, or FS/TEC, here.
As troublesome or costly as meeting PCI DSS requirements or otherwise securing data networks and in-store systems might be, failing to act could cost more, said panelist Nick Ibrahim of Maryville, Tenn.-based Ruby Tuesday Inc.
"If you're a chain, and you have a security breach, you're done. [Card issuer] fines will be the least of your concerns," said Ibrahim, chief technology officer, or CTO, for Ruby Tuesday's 930-unit, namesake casual-dining chain. "Fifty [percent] to 60 percent of the business in casual-dining restaurants is done through credit cards. Nobody can afford to have customers stop coming in because they're afraid to use a credit card."
The PCI DSS standards were developed by a council formed by five major credit card companies: American Express; Discover Financial Services; JCB; MasterCard Worldwide; and Visa International.
Bob Russo, general manager for the PCI Security Standards Council, called the development of PCI DSS a milestone and explained that it contains 12 requirements for operators seeking to come into compliance. Among the requirements is that merchants must "install and maintain a [network] firewall" and encrypt any cardholder data transmitted across open, public networks.
Russo said the council does not prescribe any particular system for operators attempting to secure their data. Rather, it is up to each operator how he chooses to comply with the standards.
However, Tracy Libertino, senior director of risk management and security solutions for Accuvia, said many operators are confused about what is required of them under the new standards. "A restaurateur will come to us and say they have to fill out a questionnaire, and they just missed the deadline," Libertino said. "And suddenly the bank is telling them that their fees are going to be increased" for noncompliance.
Terence McCarthy, senior channel manager for data security consultant and auditor TrustWave, agreed that confusion among operators is common. "Most don't understand what [data] they're storing" in point-of-sale systems, he told FS/TEC attendees. "In the 300 forensic cases we've been involved in, we've often found 'track data' in the system — and the merchants don't even know it's there."
Libertino concurred that many operators are not aware that their systems are storing data from the magnetic stripe on the back of a payment card, or so-called "track data." Track data include cardholder names, account numbers and encrypted personal identification numbers.
"If you have track data stored" on an unsecured computer or network, she said, "someone can steal customer data."
Ruby Tuesday's Ibrahim summed up the attitude of some operators toward the new standards when he called himself "a victim just like you guys." Many operators have complained that the standards are vague or "a moving target" for which achieving compliance is costly because it can entail upgrading network or POS components and incurring third-party audits.
After examining the challenge of complying with the new standards, Ibrahim said his company decided to eliminate card data storage in its restaurants and at headquarters. Among other things, the chain's new security strategy includes using AES encryption, dealing directly with the company's merchant bank to bypass middlemen credit card processors and using transaction authorization numbers made up of three hash marks and the last four numbers of the payment card used.
"We took it to the extreme," Ibrahim said. "We don't keep any numbers in the system."
He said one benefit from the changeover is that Ruby Tuesday's auditors have less work to do in their quarterly and annual audits, which enabled the chain to negotiate lower prices.
Though he is not looking forward to securing wireless networks and portable payment terminals, Ibrahim said the need to block card data skimming by larcenous employees soon might make tableside transaction settlement the norm.
McCarthy of TrustWave said his company has yet to be called to conduct a forensic investigation — or inquiry after a data breach — by a business that is PCI DSS compliant. "So compliance does work," he said.