Restaurant operators who think they are vigilant about the security of their customers’ credit cards may want to do some double-checking in the wake of P.F. Chang’s China Bistro Inc.’s reported data breach.
Scottsdale, Ariz.-based P.F. Chang’s confirmed June 13 that data from credit and debit cards used at its restaurants had been breached and it had returned to the use of manual credit card imprinters while investigating the data leak with federal authorities.
The depth and breadth of Chang’s breach appears to be growing. Brian Krebs, founder of the KrebsOnSecurity website that broke news of the Chang’s breach, reported on Wednesday that it “appears to have gone on for at least nine months.”
“New information indicates that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11,” said Krebs, which, if accurate, would predate the major Target and Neiman-Marcus credit card breaches during the winter holidays.
“In today’s world, you have to start every day with the assumption that security in computer systems is only temporary in nature,” said Ernesto Rojas, an instructor for the Cyber Security Institute at the University of Houston-Clear Lake.
“The bad actors on the Internet spend all day long in trying to defeat and find weakness in existing software,” Rojas said. “Unfortunately, many software manufacturers cannot keep up with the avalanche of issues. Security in businesses of any size is a full-time effort.”
Nation’s Restaurant News spoke with industry experts to break down what you can do now to protect your customers’ data:
Apply all software updates and patches.
Manufacturers frequently update operating systems and point-of-sale software to tighten security and eliminate weaknesses vulnerable to hackers. “Make sure you download the latest operating system patches and keep all POS software up-to-date,” said Dave Matthews, general counsel for the National Restaurant Association.
Matthews added that for relatively low annual fees, a security vendorcan remotely scan all of a restaurant’s external systems’ access points to determine if any are vulnerable to intrusion.
“This service is analogous to having a regular pest control inspection to identify infestations,” Matthews said. “Use a reputable, professional company to conduct these electronic scans regularly.
Many restaurants leave their firewalls open to outside entry by managers working remotely or vendors who routinely perform maintenance on systems.
Jared Isaacman, chief executive of Allentown, Pa.-based Harbortouch, a supplier of POS systems and payment processing, said “There was an increase in stolen vendor credentials in 2013. One of the biggest problems was the use of the same password for all organizations managed by the vendor. Limit any remote access into POS systems by third-party management vendors to reduce this risk.”
The NRA suggested operators create strong passwords instead of using default codes and change them often. Similarly, always change default firewall settings to allow only essential access, and limit remote access to secure methods such as VPN.
Conduct background security checks on employees.
Ross A. Leo, associate director of professional training and development at UHCL’s Cyber Security Institute said, “Operators need to recognize that the human factors must be addressed with the same vigilance and attention that the automation factors are.”
He pointed to high-profile hacking cases, such as the National Security Administration’s contractor, Edward Snowden, and U.S. Army soldier Bradley Manning, in which one individual was able to penetrate sensitive inf0rmation.
Leo suggested background checks on potential employees, though he admitted it was difficult to do in a high-turnover industry.
New software patches, Leo said, “are easily obtained and easily applied, but how does one ‘patch’ a human?”
(Continued from page 1)
Double-check encryption protocols.
“It is crucial for restaurants to check with their payment provider to verify they are using PCI [Payment Card Industry]- certified point-to-point encryption (P2PE),” said Chris Kronenthal, chief technology officer at Philadelphia-based FreedomPay.
P2PE uses a hardware-to-hardware encryption and decryption process that encodes payment data from the moment of the swipe all the way to the processor, Kronenthal said.
“This ensures that the payment data is never unencrypted in a merchant’s POS, network or memory,” he said.
In addition, Kronenthal said, a PCI-certified P2PE payment solution streamlines PCI Data Security Standard compliance. “Restaurants who use PCI-certified P2PE solutions reduce their PCI compliance audit points from around 300 to 19,” he said.
As restaurants and other merchants move POS systems to the microprocessor chip-embedded EMV (Europay, MasterCard and Visa)-compliant platform, which has an October 2015 deadline, they can bolster security with P2PE at the same time, he said.
“A combo of EMV and P2PE provides restaurants with the best line of defense against hackers and makes economic sense considering the expense of deploying these future-required technologies separately,” Kronenthal said.
Restrict personal use on business equipment.
“Do not browse the web, email, use social media, play games, or do anything other than POS-related activities on POS systems,” Isaacman of Harbortouch said.
Furthermore, the NRA’s Matthews advises that the in-store networks be segmented.
“Make sure your POS data traffic is separate from your Wifi system, security cameras, digital menu boards and other connections,” he said. “If you want to enable managers to connect to the POS via Wifi, connect them through a virtual LAN [local area network] that separates authorized traffic into a security zone.”
Train staff in simple security measures.
“Make sure your staff is well versed in simple security measures such as never writing down credit card information,” Kronenthal said.
In addition, Isaacman said restaurants should make sure full credit card numbers are never stored in plain text and that receipt-printing terminals automatically truncate card numbers,only showing the last four digits. “Also,” he said, “credit card numbers or cardholder account information should never be transmitted via email or unsecured gateways.”
Enforce strong password policies.
Restaurants should make certain all passwords used for remote access to POS systems are not factory defaults, the names of the POS vendor, dictionary words or otherwise weak.
“If a third party handles this, require and verify that this is done,” Isaacman said. “Make sure they are not using the same password for other customers.”
Contact Ron Ruggless at [email protected].
Follow him on Twitter: @RonRuggless