Don’t be a target for hackers
While most restaurant owners accept credit and debit cards, very few understand the financial strain that may result if data thieves break into the computer system used to process card payments. This article provides a brief overview of what happens when a breach occurs and three common mistakes that make restaurants easy targets for cyber criminals, along with simple steps that can be taken to avoid them.
When (not if) a breach occurs
At the outset, it is important to understand that the question is not “if” a restaurant will have a breach of its card-payment computer system, but “when” it will have a breach. Cyber criminals target businesses with a high volume of credit and debit card transactions, like restaurants. Restaurants, as compared to financial institutions, are attractive targets because they tend to have less robust security systems. Because profit margins often are thin, restaurants also tend to have a small appetite for learning about and implementing measures to prevent, recognize and catch cyber criminals.
Generally, restaurant computer systems are viewed as easy to breach, even though all restaurants are required to comply with are the Payment Card Industry Data Security Standards (PCI DSS) to help protect cardholder data. The 2011 Data Breach Investigations Report (a study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit) reports that 89 percent of businesses suffering a credit card breach were found not to be PCI DSS compliant at the time of the breach. Restaurant budgets are limited, and most restaurants cannot afford the precautions taken by other high-volume credit card transaction businesses, such as financial institutions or health care operations. Also, the way the restaurants’ credit card payment systems operate may create vulnerabilities.
Restaurants use one of a few vendors in their local areas to obtain point of sale (POS) software, hardware and services. Thus, if a cyber criminal accesses the local POS vendor, the criminal likely will have easy access to most of the restaurants the POS vendor serves. Also, if a cyber criminal finds a vulnerability in the POS software, the criminal may exploit the vulnerability to access multiple restaurants that use the same POS software. Finally, and most significantly, many restaurant owners do not appreciate the importance of taking steps to enhance computer security. As a result, cyber criminals often find it simple to access and steal credit card and frequent-guest information from restaurant computer systems.
Usually, a restaurant owner becomes aware that the restaurant’s system has been breached when the restaurant is notified by a card processing company that the restaurant may be the source of a breach. The letter specifies that, within about five days, the restaurant must hire an authorized computer forensic vendor to investigate the breach and analyze the restaurant’s computer system. If the restaurant does not comply, it likely will not be permitted to process credit card payments. Generally, the computer forensic vendor’s investigation will cost at least $15,000.
Additionally, and often more significantly from a cash flow perspective, the restaurant’s contract with the credit card processing company often permits the processing company to collect and hold back funds from the restaurant’s credit card transactions. These funds, which are designated to cover any fine or charge-back that may be assessed by the credit card companies if there is a breach, are collected from the restaurant’s daily transactions, sometimes without the restaurant’s knowledge. By the terms of the contract, the amount of funds to be collected and held often is explicitly or functionally at the discretion of the credit card processing company. Hundreds of thousands of dollars are frequently collected and held pending the credit card companies’ determinations as to whether any fine or charge-back will be assessed, which may take six months to a year.
Any restaurant faced with a $15,000 computer forensic audit and holdback of funds in the hundreds of thousands of dollars from daily credit card transactions will face a significant financial strain. Cash flow may be impacted to the extent that loan covenants are triggered, causing further strain on the restaurant’s operations. There are many steps that can and should be taken to protect a restaurant in these circumstances, and it often is possible to obtain relief through negotiation. That said, no restaurant wants to face a cash flow crisis that could have been avoided.
Top three mistakes that lead to breaches
Through its significant experience in advising clients of all sizes in many industries on how to respond to data breaches, Wilson Elser has identified three common mistakes that make restaurants easy targets: (1) failing to install and regularly update anti-virus software, (2) permitting remote access with weak security and (3) using standard, vendor-supplied passwords or multiple users with the same ID and password.
Install and regularly update anti-virus software
Simply stated, anti-virus software that is installed and regularly updated provides a basic level of protection. More significantly, if a restaurant does not have current, updated anti-virus software when it has a data breach, the restaurant will not be PCI DSS compliant and the credit card company will likely impose a fine on the restaurant.
We often work with restaurant owners who did not buy an upgrade because their existing software was working. It would be wise for restaurant owners to take the necessary time to understand the reasons why an upgrade is being sold, and whether the upgrade is necessary to be compliant with PCI DSS. Vendors selling upgrades often need to do a better job of differentiating between upgrades that are “nice” because they improve functionality and upgrades that are necessary for PCI DSS compliance.
Limit remote access and require robust security
Many breaches take place when a cyber criminal is able to access a computer system remotely by masquerading as an authorized user. Restaurant owners and their vendors (accountants, outsourced IT, etc.) frequently access a restaurant’s computer system through one of many commonly used remote access software programs. Cyber criminals also like these programs. Many cyber criminals will search for systems that use remote access software and when they find one, will attempt to access the system using standard and common passwords. Many computer systems are easy to breach because default passwords remain in place. Don’t make this mistake.
When considering remote access, decide whether accessing the restaurant’s computer system without being in the restaurant is necessary or merely convenient. If remote access is not necessary, it may be worthwhile to live with the inconvenience.
Address security in clear terms if remote access is necessary. If your vendor needs remote access, will they accept contractual responsibility if the remote access enabled for them is the source of a breach? How will you make sure that they accept responsibility timely so that the cash flow drain caused by the breach does not negatively impact the restaurant?
Make sure each user has a unique id and password
Make sure that each person who has access to the computer has a unique user ID and a password that is not the default password. Each employee of a vendor who accesses your system also should have a unique user ID and password. To enhance password security, it helps to require use of a character, a number and/or a capital letter. If numerous employees share the same ID and password, the system is not secure and can be readily hacked by anyone—including a disgruntled former employee or a former employee who needs cash and is willing to sell the information. Make sure that user IDs and passwords are disabled when employees stop working for the restaurant.
Unique user IDs are essential to strong, secure operations. If a computer forensic investigation of a breach shows that a specific user accessed and downloaded credit card numbers, and the system was not hacked, it will not be possible to prove which employee is at fault if several employees routinely use the same ID and password.
When an employee hacks the system and misuses credit card information, most restaurant owners want to terminate the wrongdoer’s employment quickly. Many want to prosecute the wrongdoer to the full extent of the law. If multiple employees are permitted to use the same user ID and password, corrective action will be complicated and prosecution may not be feasible.
There are many steps that restaurant owners can take to make it harder for cyber criminals to breach a restaurant’s computer system. Your restaurant will be a less attractive target for cyber criminals if you follow the three key steps described in this article, as part of PCI DSS compliance, and keep informed of upgrades and changes to the software you use. Taking steps now will pay when a breach happens, as well-documented compliance efforts make it less likely that a fine will be assessed and more likely that the credit card processing company will provide some relief in the amount of money that is held back.
This report was reviewed for legal accuracy and updated in 2017 by Wilson Elser Moskowitz Edelman & Dicker LLP.