The U.S. payment industry is in a period of transition. October 2015 will mark the end of swipe-and-sign. While card brands are committed to swapping mag-strip for EMV chip-based cards, the standard for authentication remains under debate: signature capture or PIN. While PIN authentication is considered the more secure option, there’s concern that Americans, who tend to have a variety of credit cards, would struggle to manage multiple PINs.
As the restaurant industry, and U.S. merchants at large, take a wait-and-see approach, HT measures the industry's current and planned payment security practices in its 2014 Restaurant Technology Study.
The food service industry, with its fragmented technology, has historically been a target for card data theft. The sunset for swipe cards will be a welcome improvement. EMV preparedness is on restaurants’ radar, with 70% of those surveyed agreeing that it is important to have a well-defined roadmap for EMV preparedness. When asked about their organization’s current approach to preparing, however, just 26% report having some form of road-map in place; likely due to the lack of a standard. An additional 37% will make this a priority in the year ahead. With debate ongoing at the top, merchants remain in a holding pattern.
What's more, confusion with the current PCI DSS remains, with 86% reporting that their organizations are "in compliance" but far fewer are able to identify compliance with some of the 12 specific requirements. For example, only 72% report that their organization maintains a policy that addresses information security for employees and contractors (item 12 of the PCI DSS).
With payment security an ongoing process and a moving target, restaurants are leveraging third parties for assistance. More than half of those surveyed outsource their PCI compliance efforts (54%), and nearly as many (52%) have purchased some form of breach protection or insurance.
Respondents were further asked about their organizations’ use of tokenization and point-to-point encryption (P2PE). Though not a requirement of PCI DSS, these technologies can reduce scope by shrinking the footprint where cardholder data is located throughout the organization. Approximately 43% use P2PE and 33% plan to add the technology by 2016. Tokenization is used by 36%, and an additional 30% have future implementation plans.
Download the full 2014 Restaurant Technology Study.