Earlier this year, The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob's Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, suffered a massive computer breach on a portion of its network that handles credit, debit, check and merchandise transactions. All told, hackers made off with 45 million credit and debit card numbers in the United States, Canada and Puerto Rico. By the end of the first quarter, the breach cost TJX upwards of $17 million.
Wide scale breaches like the TJX debacle have forced the Payment Card Industry (PCI) to issue new rules about how sensitive data is stored and transmitted on internal systems. Developed by the four major credit card companies -- Discover, American Express, Visa, and MasterCard -- the PCI Data Security Standard (PCI DSS) is designed to give customers the added security of knowing that their confidential information is safe once it is given to a business. But these PCI standards aren't always easy to understand or implement, especially for small- to mid-size restaurant operators like Spanky's Marsh Side, located in Brunswick, Georgia. Hackers were freely taking credit card information from Spanky's system for seven months before owner Carla Yarborough became aware.
"I felt like I had been blindsided," says Yarborough in a video testimonial from "Are You At Risk?" a DVD produced by the Retail Solutions Providers Association (RSPA). "It's beyond a lot of people's comprehension."
Unfortunately, Spanky's is not alone as many restaurants have not upgraded their systems to be in compliance with today's data security standards. The 12-minute DVD from the RSPA provides a candid look at PCI security compliance and educates viewers on what may be lurking in their point-of-sale system. For more information on how to order this free DVD, visit www.GoRSPA.org.
Clearly, the dramatic rise in credit card data compromises, primarily occurring in small- to mid-sized merchant locations, has resulted in a huge hassle and expense. The aforementioned example indicates that small- to mid-size restaurant operators using older point-of-sale (POS) systems may not even be aware that their POS system is storing prohibited data.
A recent study by Gartner analyst Avivah Litan found that 80 percent of credit-card data breaches are tied to cash-registers and other POS terminals. According to Gartner, by 2008 most attacks will be on physical POS systems and by 2009 only one out of three such systems will comply with current security standards.
"Device vulnerabilities are often overlooked by enterprises, which tend to focus on enterprise servers and systems when securing their environments," says Litan, adding that data transmissions are also closely monitored and "typically ignored by many companies are the devices that hang off of corporate networks where data are either collected or output, particularly point-of-sale devices and printers located throughout enterprise systems."
Operators can ensure swipe-to-settlement data security compliance by using a Payment Applications Best Practices (PABP) validated version of their POS software together with a PCI-compliant payment processor. In most cases, upgrading to the latest version of POS software that properly stores card data will dramatically reduce liability. In addition, restaurant operators can now provide fast, secure service to guests by using PCI-complaint, high-speed payment processors that are available from a majority of today's leading technology vendors.
A PCI solution
Located on the outskirts of Atlanta, Georgia, Ray's Killer Creek, a small, fine dining establishment known for steak and seafood, became acutely aware of PCI standards and in response, teamed with VeriFone (www.verifone.com)to add an extra layer of security and convenience at the POS. Jim Wahlstrom, operating partner at Ray's, piloted different ways to use the new POS system, such as having guests process transactions, but found that at Ray's level of fine dining, most customers weren't comfortable with the interruption. The end result is a handheld, PCI compliant wireless payment system from VeriFone called "On the Spot." VeriFone is working with retail mangement system (RMS) dealers and value-added resellers to provide On the Spot integrated with leading RMS systems from MICROS (www.micros.com), Radiant/ Aloha (www.radiantsystems.com), and others.
"Instead of walking off with the credit card we can process it right at the table," says Wahlstrom. "There's no nterruption to the guest and it actually saves the server steps."
Wahlstrom says On the Spot is set on "fine dining mode" and acts in a similar fashion to when you drop your car off at the airport. For instance, once a Ray's server sees that a credit card has been taken out by a customer, they walk up with the On the Spot VeriFone device and, in view of the guest, process the credit card, print two slips and place the credit card back in the guest card presenter. "The guest signs it and we close the credit card out right on the POS machine," says Wahlstrom. "There isn't a measurement that you can put on efficiency. But you've got to imagine that you're saving steps for your servers. When you think about the longest time you wait at a restaurant, it's for your check. This really takes that out of the system. Overall, it's a great security measure."
Because PCI is a private standard, rules and regulations from credit card associations can be changed at any time. Likewise, the PCI Security Standards Council can make dates and revisions to the sub-standard itself at any time. For instance, by September of this year, any merchant who processes between one and six million credit card transactions per year is required to demonstrate compliance with the Payment Card Industry Data Security Standard 1.1 (PCI DSS).
In an effort to help companies meet these complex regulations, vendors are stepping up the pace. SonicWALL (www.sonicwall.com) for instance, is working with PCI auditor ControlCase (www.controlcase.com) to develop a step-by-step guide for implementing best practices in deploying a PCI DSS compliant network. Functionality from Tripwire (www.tripwire.com) searches configuration files for required security settings to wireless networks and alerts users when deviations from the defined policy are found. Once configuration files are in compliance, Tripwire will monitor and alert users to any changes allowing review and validation of the change.
For its part, Mercury Payment Systems (www.mercurypay.com) proactively educates POS resellers, developers and customers on how to meet PCI compliance requirements. Mercury has also dedicated resources to help developers meet Visa's PABP validation, considered to be the industry standard for the validation of the data security of payment applications.