3 Quick Free Steps that could save your business

Here’s news today of a data security breach (Elephant Bar Restaurants) on a more modest scale than we normally read about. It is sobering news. The fact that a modest sized restaurant company was the target may indicate that the capacity to hack credit card processing equipment and the software to harvest the information is ubiquitously available and no longer requires a sophisticated team of high level black hats to pull it off.

I recently took a restaurant through the PCI compliance process. This unit had revenue of over $10 million and processed a large number of charges. American Express flagged it for additional PCI compliance requirements. To add to the challenge, someone at the company received two AMEX notifications and misunderstood what they were about, tossing the letters. That meant that we had a narrow window of time within which to achieve the required compliance (we later learned that obtaining an extension of the deadline was simple—we just had to request it, demonstrate some progress and provide a drop-dead completion date).

PCI compliance isn’t an all or nothing thing. A business works toward compliance, and if the gap between requirement and your capacity is wide enough, processing rates may increase and eventually you will not be allowed to process credit cards. As we have been reading about with the chip-in-card (EMV) technology, some shortcomings in compliance might shift the responsibility for fraudulent activity from the credit card issuer to the retailer.

An overview of the process is fairly straightforward. You simply ensure that consumer credit card information is protected and/or behind firewalls and handled, stored and transmitted via PCI complaint software and systems. We had to complete a Self-Assessment Questionnaire (SAQ). Sounds pretty simple, but trust me, it is not so easy. Just see this AMEX "Cheat Sheet!"

When you begin to dig into how this really works operationally, it is a bit more complicated. At a business of this scale there will probably be several systems involved. The big one is the POS system. You would imagine a quick phone call to your POS provider would get you the necessary thumbs up. But no, it wasn’t that easy. As it turned out, we had missed several system updates, each of which had to be paid for and sequentially installed. At the time, and I believe it is still the case, many of the major restaurant POS system providers (ALOHA and MICROS anyway) did not yet offer integrated chip-in-card (EMV) readers for their systems, so as of October 15th, the old magnetic stripe readers cannot be fully compliant.

Next we had to determine whether or not the communication network the POS resided on could be completely segregated from other traffic. Because it could not, we had to install a separate heavily firewalled network (including a separate ISP). Thankfully we relied on a competent IT consultant to assess and install the required equipment and set it up correctly—it was not a DIY project, and documenting what was done and how it was done is critical for completing the compliance questionnaire. You’ll also need to engage an outside company to perform regular vulnerability scans of your network (essentially simulated cyber attacks).

The credit card processing company is the next link in the chain. There might be someone who is not on top of this, but I doubt it.

Beyond the POS system are any vendor/partners that might obtain customer data (OpenTable, delivery companies, gift card sales vendors, banquet booking systems). Calls to most got me the telephone equivalent of a blank stare. They didn’t know off hand that their systems were complaint and hadn’t been asked the question. Upon further research they all replied that their systems were compliant, or more commonly, that they outsourced the portion of their system that handles customer data. That meant we had to confirm that the company actually handling the data was compliant.

Once you have mapped your network and are sure it is securable, and have assurance that your vendor/partners are all secure, you’re home free, right? Not yet. There are a couple of steps you still need to take. These are easily accomplished and extremely important but probably, commonly, overlooked.

Three free solutions you can employ today that might save your business:

1. Inventory, label and inspect your POS, network and anything else connected to it, regularly.

Look over every piece of equipment, write down its location, make, model and serial number. Take a photo of it. Assemble a complete inventory with this information. That’s every POS terminal, connected PC, switch, router or modem. Ethernet cables ought to go straight from one piece of equipment to the next. If it goes behind a file cabinet, make sure you know why. Check it monthly or quarterly. It is the only way you will know if something has been changed out or added.

1. Train management and staff as to who can have access to equipment and under what circumstances.

Create and train you managers and staff about how to deal with anyone who tries to access or modify this equipment. Technicians must be scheduled (they don’t drop by, right?), they must be verified (management must obtain identification and confirm that identity with a known vendor—typically the POS company, maybe IT company, rarely credit card processor, BEFORE any work is done). All employees must know to notify management immediately is someone attempts to access this equipment. Managers must know the procedure for verifying a “technician” which means that they must know what companies might require access, how to contact them and what to ask. Create signage and post it at all POS terminals, connected PCs, routers, switches and modems to remind staff and management.

1. Create a ready-to-roll plan for what happens if a breach is suspected.

Create a simple plan for what needs to happen in the event that a breach is suspected. This should include an ordered call list (ownership, management, IT consultant, credit card and POS companies) and specific instructions as to who is authorized to respond and to whom they respond. You may not want your most junior manager calling American Express before the facts are clear, and you don’t want anyone talking to the press without serious thought.

Liability in the area is huge and quickly growing. Even if you are not required to achieve an elevated PCI compliance level—spend a couple of hours to set up the three free solutions—they really might save your business, and you’ll sleep better.

If you’d like to discuss this feel free to reach out to me.