Organizations in certain sectors, including health care and government, seem to walk around with bull's-eyes on their backs that hackers continually target. However, retail, hospitality and food industries are coming under increasing fire from cyberattackers as well.
In the past few months, several high-profile breaches have impacted the restaurant industry, not the least of which is Landry's, one of Chicago's most prominent restaurant groups. Cybercriminals were able to install malware at dozens of locations, resulting in the theft of customer credit card data.
More recently, Wendy's franchises across the U.S. were struck with point-of-sale malware, resulting in a law suit being filed in Florida. In another incident, a decision regarding a more localized breach of Five Guys franchises in New York has determined that the chain is not eligible for any insurance money in the aftermath of a 2011 breach.
These are only morsels upon a much larger smorgasbord of recent food industry breaches, but the message is clear: Hackers plus restaurants equals a recipe for disaster.
Here are three essential ingredients for improved restaurant cybersecurity:
"SSL encryption must be viewed as a necessity."
Restaurants are increasingly turning to mobile and Web applications to improve the customer experience. Patrons can reserve tables and place orders from their phones. Real-time updates will tell them when their food is en route, or when their table has become available. While the convenience of these systems is undeniable, saving customer contact information and retention of payment data gives cyberattackers greater incentive to target the industry.
As such, it's vital that restaurants rely on strong encryption tactics to ensure that if hackers were somehow able to breach their systems, they wouldn't be able to make sense of any stolen information. Likewise, to prevent fraudulent Web activity and to better safeguard payment portals from various strains of malware that could compromise customers paying online, SSL encryption must be viewed as a necessity, not as an extra precaution. The point-of-sale terminal tends to be the road most traveled when it comes to restaurant breaches, but by no means is it the only way to Rome.
"By now, every restaurant should be using EMV chip card readers."
By now, every restaurant should be using EMV chip card readers. The beauty of the magnetic stripe is the quick-swipe capability. Bank data, personal information and credit card numbers are all stored on the stripe – but cardholders all too often pay for this convenience.
Once this information is transferred to the POS, a business basically has the keys to your bank or credit card accounts. If they get breached, their customers get breached. EMV chip cards, on the other, generate a one-time password for every transaction to authenticate the purchase, which makes it much harder for a POS breach to result in payment information theft.
It sounds great, but the only problem is that the majority of restaurants have been slow to make the transition to EMV card readers, according to Orlando Sentinel contributor Kyle Arnold. Given the significant number of hotels, retailers and restaurants that have been breached by POS malware in the past year or so, not switching to EMV card readers at this point is either hubris or just sheer stupidity – especially since merchants will be liable under October 2015 Payment Card Industry Data Security Standard provisions.
Mobile devices aren't just being used by customers anymore. Restaurant employees are increasingly using tablets at check-in or even as the new POS. These devices are ideal in their multi-functionality as well as their mobility. But every convenience comes with a caveat. Mobile devices can be lost, stolen and hacked. They can be just as vulnerable to the multitudes of memory-scraping POS malware as the standard desktop-based payment system.
Of course, the inverse is also true: Mobile devices can be protected by the very same multi-factor authentication tools that have been used to safeguard desktops in the enterprise. Restaurateurs can include a base user login and password that, once correctly entered into the POS tablet, laptop or smartphone will send a text or email to the authenticated user with a one-time password.
It is only with this OTP that the user can successfully log onto the restaurant's system. Even if a sneaky customer somehow stole the mobile POS, they wouldn't actually be able to access the information thanks to this innovative approach to mobile device management.
It's unlikely that the flurry or headlines regarding restaurant data breaches will dissipate any time soon. But with a smart approach to cybersecurity, your business won't be in any of them.