The Data Dilemma

Small restaurant chains are turning into big targets for credit card theft.

With an increased push toward credit card security by card issuers, many quick-service restaurants have taken steps to protect their customers’ private information from thieves. As a result, hackers are now turning their attention to smaller mom-and-pop operations, which have little to no security measures in place.

While the Payment Card Industry (PCI) Security Standards Council has implemented Data Security Standard (DSS) requirements to protect cardholder information and card issuers have set up compliance programs to make sure these standards are met, the majority of small-business owners have little to no awareness or knowledge of the protocols.

According to a recent survey commissioned by the National Federation of Independent Business (NFBI) and Visa Inc., 39 percent of small businesses say they rely on common sense to keep data safe, and 61 percent have never sought out information about how to properly handle and store customer information.

As a result, some small-business owners find out the hard way about credit card security breaches. Pittsburgh-based Burrito Group recently settled a class-action lawsuit that claimed the company violated the Fair and Accurate Credit Transaction Act of 2003 by printing the last five numbers and expiration date of customers’ credit cards on their receipts

In January 2007, after being identified as a common point of purchase among some cardholders whose accounts had been compromised, Lodi Beer, a microbrewery and restaurant in Lodi, California, learned its computer system had stored the account data of more than 11,000 customers.

Ignorance of the industry standards and compliance rules doesn’t prevent small businesses from incurring hefty fines—not to mention negative press. In the case of Lodi Beer, its card processor, Abanco International LLC, was fined $27,000 by Visa and MasterCard for noncompliance. Abanco then passed this fine on to Lodi Beer.

The keys, it seems, to remaining in compliance are education and due diligence. Most importantly, mom-and-pop restaurant owners and managers must learn the PCI DSS requirements for their business. They also need to make sure their operation is in compliance with those requirements.

To make this process easier, the PCI Security Standards Council updated its self-assessment questionnaire in February to simplify and streamline the assessment process. Bob Russo, general manager of the PCI Security Standards Council, says the change came after feedback from acquiring banks, qualified security assessors, and small merchants stating that a “one size fits all” approach was not working. “We made it more understandable for these small

Many of the credit card brands also are providing educational resources regarding their individual compliance rules. These come in the form of Webinars, online guidelines manuals, and online fraud prevention tool kits.

Visa and NFIB developed a booklet, The NFIB Guide to Data Security, to educate and assist small businesses in safeguarding customer information. “Small merchants represent 99 percent of the total Visa merchant population, and, even though they may have limited access to sophisticated security analysis, even small changes can dramatically improve security for them, their customers and the overall payment system,” says Jennifer Fischer, director of payment system risk and compliance for Visa.

Of course, many mom-and-pop restaurant owners rely on their credit card processor or POS product to keep them up to date on security issues and compliance. But this approach is not foolproof. “It’s really an ongoing issue, because the level of security is only as good as the last change you made,” says Paul Rasori, vice president of global product marketing for VeriFone Inc., a supplier of secured payment point-of-sale (POS) infrastructure to merchants.

In fact, POS suppliers and management solution providers have recognized the need to educate their clients on the security aspect of their products. At HotSauce Technologies, a national and international management solution provider, company CEO Kai Hsu says his company has a responsibility to help clients stay compliant with DSS standards and industry rules.

“It’s a problem everybody is facing, and that everybody needs to work together on,” Hsu says. “It’s important for all of us service providers to remember our clients are potential victims. Our duty is to work with our clients, to prevent it from happening, and to help them through it when it does. Their interests are whatDave Gerard, owner of Deli Junction in Ellijay, Georgia, switched from a bank credit card processor to HotSauce Technologies’ POS system almost three years ago. He knew little about the DSS standards or compliance rules until his HotSauce representative outlined those aspects of his POS system. Gerard then researched the standards to get a better understanding of what was required of him, but found that HotSauce had his system secured. “They’ve been real thorough,” Gerard says. “I’ve been impressed.”

Although cost is a factor in putting the right security components in place, Gerard recommends it to other mom-and-pop restaurants owners. “Unless you’re really computer-savvy, you should hire someone to do it for you,” he says. “There’s a good chance you’ll leave your customer exposed, and that’s not a good thing.”

In addition to working with credit card processors and POS system providers, more information on keeping credit card information secure can be found at the PCI Security Standards Council Web site www.pcisecuritystandards.org as well as the various credit card brands’ Web sites.

we really need to look at.”