One needs to look no further than all the ink spilled over the recent data breach at a major film studio to understand that the threat of cyber fraud is here to stay and likely to become more brazen with each succeeding attack. The bad guys, often state-funded hoodlums, organized crime or rogue states, are sophisticated, clever and patient. And the mess they leave in their wake—damage to a brand, loss of customer trust, erosion of sales—often is considerable and irreparable.
Like any industry that relies heavily on credit card payments, foodservice lies firmly within the crosshairs, especially smaller merchants who typically don’t have the technical knowledge or resources to protect payment data against today’s clever cyber hackers.
In 2006, to fight the rising incidence of data breaches, five global payment brands—American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc.—joined forces to create the PCI Security Standards Council, an open global forum responsible for the development, management, education, and awareness of the security standards for payment card industry. From this sprung the Payment Card Industry Data Security Standard (PCI DSS), a set of 12 requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
Companies who ignore the PCI DSS standards do so at their own peril.
“According to a recent Verizon report that examined every major breach over the last decade, all of the data compromises, every single one, was preventable,” noted Stephen Orfei, General Manager, PCI Security Standards Council, as he walked the audience through his presentation Payment Card Security: What You Need to Know at the NRA Show 2015. “Not one merchant compromised was found to be in compliance at the time of compromise.”
The same report goes on to identify areas of weakness that led to breaches, including poor logging, not keeping up with software patches, inconsistent security policies and the amount of information being stored.
“If your business pays attention to the fundamentals,” continued Orfei, “you’ll have a very good chance of mitigating and defending against cyber attacks.”
Also critical to protecting the foodservice industry are three emerging technologies, each promising to add complex layers of security at the point of sale:
EMV—available for almost a decade in Europe and currently rolling out in the U.S., this technology utilizes a chip embedded in a payment card that, when run through an EMV-enabled terminal at the point of sale, completes a digital handshake via a set of specific commands to authenticate the card.
Point-to-Point Encryption—using card readers enabled with the technology, when a payment card is swiped through, the information is instantaneous encrypted before being electronically routed to the issuing bank for authorization, thus rendering the data completely secure to hackers.
Tokenization—utilized by ApplePay, this technology replaces sensitive data (such as a payment card number) with a non-sensitive equivalent, called a token, which then has no exploitable meaning or value to anyone outside the transaction chain.
“There’s an endgame here in the payment space,” noted Orfei. “If you devalue the data so that it’s useless in the hands of [the bad guys], then they have no reason to break in.”