December 19, 2016 | By David Denney, Denney Law Group
It seems these days that not a month goes by when one does not hear about a major company’s network infrastructure being hacked. Major retailers (including bars and restaurants), insurance companies, payment systems and even Experian, the credit reporting agency, have been victims of cyber attacks resulting in the theft of the personal information of millions.
Bars and restaurants have historically been vulnerable to cyber attack due to an inherent lack of security infrastructure industry-wide. Most independents and small companies with whom I speak believe that since they are not substantial multi-unit organizations, they are more likely to fly under hackers’ radar. But that belief presupposes that hackers are not tempted by low-hanging fruit.
Various studies and surveys indicate that 80 percent or more of the point-of-sale transactions in bars and restaurants are made with debit and credit cards. With some operators considering doing away with cash altogether, the need for data security in our industry is greater than ever.
Even when they want to protect their guests’ private information, many operators simply do not know how to determine whether they are secure. The “payment card industry” (that is, the card companies acting together) has developed a set of “data security standards” to be used by businesses that accept payment cards. First, select a secure credit card processor and enlist their help in moving forward. You can hire a qualified security assessor who will determine your “classification level” for compliance – larger companies with more transactions have higher security standards. From there, you will determine where payment card data resides in your business, how to protect it and what options are available to ensure data security in transactions, e.g., encryption or tokenization of card data.
Some things you can immediately do include:
- Adopt EMV “chip card” technology at your point-of-sale.
- Restrict personnel with access to payment transaction data to a minimum (no more shoeboxes of receipts in the office).
- Ensure your Wi-Fi network is secure, firewalled, and that there are no foreign devices plugged into the USB or other ports of your computers. The computer at the host stand is a tempting target for evildoers who would plug a thumb drive into your machine.
- Separate free guest Wi-Fi from the network where your business data resides.
- Consider data breach or “card compromise” insurance.
Losses from a data breach – even a small one – can be severe. Examples are cardholder damages, costs of credit monitoring services, lawsuits, fines and fees (card replacement fees, bank’s attorney’s fees, etc.) and, perhaps most damaging, the loss of reputation and guest confidence.
PCI compliance can seem daunting, but with a few steps you can obtain the peace of mind that comes with knowing you are safe from the ever-increasing threat of cyber attack in your business. The threat is very real and is not going away.
David Denney is a Dallas-based attorney and founder of the Denney Law Group, a Nose-to-Tail-Law Practice®, which counsels its many restaurant and bar clients in practice areas including business formation and private equity funding, intellectual property, employment, beverage alcohol licensing and business litigation.