The increasing susceptibility of restaurants to data breaches is becoming more evident, especially within the last few months as more breach stories arise in the news. One of the most recent stories–in which four Romanian residents remotely hacked the Point-of-Sales (POS) systems of over 150 Subway restaurants and other merchants–has proved how restaurants and other businesses that process cardholder data must take extra precautions to avoid a breach. These hackers used a system that scanned for vulnerable POS systems. Thanks to unsecured remote access packages and card swipes with minimal encryption within the POS system, many Subway franchises became easy prey for these predators. In another recent case, unprotected systems made it easy to install malware to siphon away credit card data without being noticed for two years.
Consequences of Neglecting Data Security Standards
Vulnerable merchant POS systems remain one of the most popular entry points for hackers. According to an article on bankinfosecurity.com, Jerry Silva, founder and financial-services technology strategist for PG Silva Consulting, said that “compliance with the Payment Card Industry Data Security Standard is the best way to prevent cardholder compromises.” Even so, many merchants are still not completely PCI compliant, if at all. Many of the compliance standards that were designed to protect card-processing businesses and their clientele are being neglected within the restaurant industry – these organizations are suffering severe consequences.
According to a report released by Verizon Business, the POS system of an unidentified U.S. restaurant chain was breached because the company hired to install the POS system neglected to change the default passwords for the system. This mistake made entry easy for the hackers who were said to be siphoning card data over an extended period of time without being detected. The same unidentified restaurant chain also failed to encrypt card data that was being stored within their POS system. Leaving data unencrypted makes personal data extremely vulnerable even if your POS passwords are seemingly secure because hackers have a wide variety of password cracking methods at their disposal. These techniques range from sophisticated malware attacks to simple guessing, all of which have proven to be effective.
The result was a severe blow to the chain’s data, checkbook and reputation. These losses could have been prevented if the PCI compliance standards for POS passwords and POS data encryption had been followed. As of recent, hackers have been identifying many POS weaknesses within the restaurant industry specifically and are happily taking advantage of this. If POS systems have been proven to be a hot target for hackers and compliance standards have been proven to be an effective way of preventing breaches, why are so many restaurants taking chances with their POS systems?
Reasons Why Standards are Overlooked
Many restaurant chains, as well as petroleum marketers and convenience stores, are far from compliant, and are therefore taking a risk with cardholder data everyday.
- Ignorance. Some restaurant owners—especially in smaller operations–are simply unaware of the importance, or even the existence, of PCI compliance standards.
- Others are waiting on a command from major brands that never comes.
- Lack of basic knowledge and resources to become compliant. Most often, non-compliant organizations are aware of PCI compliance and its importance, but lack the basic knowledge and resources to get there.
- Another common reason that restaurants neglect PCI compliance standards and POS security is because of the costs associated with becoming and remaining compliant. Owners feel that the compliance process will cost them money that they cannot, or do not want to, afford.
- They may also feel that the time their company spends on becoming compliant may eat away at their daily operations and their profit.
A common assumption among restaurant owners is that their third-party processor is responsible for PCI compliance in their POS systems. Do not make this mistake. You are responsible for the implementation and upkeep of PCI compliance within your business. Most third-party processors are ill-equipped to offer you sound advice about security measures to determine if your POS system needs extra protection.
Filling out and signing compliance forms without understanding their content is not enough. Becoming PCI compliant involves a lot of heavy lifting and it can be difficult to know where to begin, especially because each work environment is a little different.
How Can We Help?
Omega Security Strategists can help organizations take charge of their compliance situation and help decide the best course of actions. Choosing a PCI compliance solution like OmegaSecureTM will help secure your POS system, as well as other systems in which personal data is stored. It will help ensure that your business is compliant for minimal cost and with no interruptions to your daily business functions. And with Omega’s breach protection guarantee of $100,000 per merchant, you can rest assured that your POS system is secure at many different levels.
PCI compliance standards were created specifically to help protect cardholder data. Utilizing these standards can help you protect your business’s most useful and most targeted tools: Your in-store systems and your network. Pretending that standards do not apply to you will not make the possibilities of a breach go away. Ignoring and hoping that your retail environment will not be breached is not worth it as small businesses in particular, may not survive a breach. By leaving in-store systems and the network unsecure, many restaurants are putting their own survival at risk on a daily basis.
For every workplace, risk reduction is the best course of action. Think of data security as medical insurance for your business. It is absolutely necessary. Protect your whole store and PCI compliance will naturally happen. Make Data Security part of your business ethics in order to protect your organization and, most importantly, the customers that make your business come alive.
Call us at 636-557-7777 or email firstname.lastname@example.org for more information on OmegaSecureTM, the best solution available in the market today in ease of use, completeness in addressing the requirements of PCI DSS and cost.