“I’m a restaurant operator,” says Hardee’s (www.hardees.com) franchisee, Lee Staak. “I know how to cook a hamburger and how to deliver a great meal at the drive-thru, but I don’t know very much about payment technology or PCI compliance in general.” Staak has been a Hardee’s franchisee for more than 40 years in Coralville, Iowa, and represents many hospitality enterprises, both big and small, who struggle to keep up with payment technologies and keep their own data — and that of their customers — secure.
“In my restaurant, [credit card transactions] are a critical part of business,” Staak admits. “In the last three or four years, payment by credit card has accounted for more than 40% of my business and is a very important component, not only because it’s so large, but because the average check for those who pay by credit card is several dollars higher than for people who pay by cash.”
Staak and many others in the hospitality industry rely on third party providers to keep transactions flowing properly so that he can focus on the operations of his franchises without getting lost in a litany of confusing jargon and processes. Staak has enlisted the services of ControlScan (www.controlscan.com), a PCI and data security services provider that attends to compliance and security technology such as point-to-point encryption. As a franchisee, Staak pays a nominal monthly fee for ControlScan to provide web-based, Software-as-a-Service (SaaS) control monitoring. “I rely on outside experts to give me what I need,” says Staak. “For a small business guy that doesn’t have the in-house IT staff, this is ideal.”
Chip-and-PIN brings better security amid confusion
Dr. Jonpaul Leskie is another Hardee’s franchisee who is also a technology consultant and business strategist, plus a member of both the Independent Hardee’s Franchise Association Board and the CKE Restaurants Technical Advisory Board. Leskie explains that small business owners often don’t have a clue as to what payment technologies are out there, and in particular don’t understand changes coming with chip-and-pin technology or EMV payments (Europay, Mastercard, Visa).
“Card technology in the United States centers around the swipe of a card — on a terminal or a point of sale terminal,” Leskie explains. “The technology, however, is changing.” Leskie notes that in Europe and the rest of the world, the EMV model has become the bellwether for global secure payment. The EMV standard started in approximately 1996 as a collaborative agreement between the three entities. By 2010 there were more than 1.2 billion of these cards in circulation around the world. American Express, Discover, MasterCard and Visa have all announced their plans for moving to an EMV-based payments infrastructure in the U.S., with payment processor mandates in place for 2013, and major changes for managing fraud risk set for 2015.
EMV works primarily through “chip-and-pin” technology, though in the U.S, the standard will be chip-with-signature. The transaction which takes place uses a specific point-to-point encryption (P2PE) that makes sure that the cardholder making the payment actually owns the card, protecting against lost or stolen cards. This technology has cut back on the loss of stolen cards and is thought to offer more security. However, the technology has some flaws in it. While the authentication has reduced the incidence of stolen cards, network breaches compromising data security remain a threat and a problem.
Making the change
Implementing new technology will require patience, but should be worth the wait as the industry needs technology to authenticate and protect against data breaches. “Hospitality has been hit hard in recent years by attackers looking to steal payment data. Right now, I believe the majority of these operators are looking for any help they can get to reduce breaches and the subsequent fraud that often stems from these,” states Bob Russo, general manager of the PCI Security Standards Council (www.pcisecuritystandards.org).
“The Council will continue to provide ongoing guidance and clarification to help hospitality operators meet this goal. We will definitely see an increase in offerings for both EMV and point-to-point encryption technologies. Through our PIN Transaction Security (PTS) program, we list POS terminals that have been tested and validated against our PTS standard and there are already a number of EMV-chip capable terminals on this list.”
Russo encourages merchants considering EMV deployment to refer to the PTS program on the Council’s website. Eventually, merchants will be able to find P2PE applications and solutions that have been tested and validated by the Council (none were approved as of press time).
Larger hospitality chains are starting to implement specific
authentication technology at the point of sale and welcome the benefits. Operators are working collaboratively with vendors to fully enable such technology as it will be key to future payment models.
“At Red Lion (www.redlion.rdln.com) we’ve already implemented both tokenization and P2PE,” reveals David Barbieri, senior vice president/CIO with Red Lion Hotels based in Spokane, Washington. Red Lion is vigilant about the effects of new technology on its payment model and currently works with MerchantLink (www.merchantlink.com) as its payment processor.
“We will incorporate EMV into our security infrastructure when our software and hardware vendors make that technology available,” Barbieri explains. “In our experience, security technologies such as tokenization and P2PE complement the compliance effort because they enable a significant reduction in both scope and risk. We think these technologies make achieving and maintaining compliance more realistic and affordable.”