Keeping Restaurant POS Safe: The Fundamentals of Payment Security
Payment security is a forest of acronyms so dense that it can seem impossible to navigate through to the light. With complicated, technical constructs lurking around every corner, it might seem tempting to shrug and leave the arduous journey for another day.
But keeping your restaurant and your customers safe from data breaches doesn’t have to be so treacherous. In fact, we believe the path to secure payments should be a lovely, lunch time breeze through a blog, instead.
That’s why we’ve enlisted the help of NEXTEP’s Chief Security Officer Marshall Cummings to give succinct, actionable advice to every restaurateur looking to shore up their payments process. This will be the first in a series of posts aiming to make the fundamentals of payment security easily understandable and decidedly less repulsive than they otherwise might be.
To begin, Marshall offers advice on the first measures every restaurant operator should take to ensure basic POS and payment security…
3 Basic Payment Security Measures to Take Now
From the Desk of NEXTEP Chief Security Officer Marshall Cummings
1. Stay away from conventional, non-encrypting, magnetic stripe readers.
The way these readers handle plain text credit card data is the juiciest of low hanging fruit to hackers and thieves.
The magnetic stripe reader (MSR) is a device that reads the data encoded in the magnetic stripe on the backs of credit cards. First introduced in the 1970s, the MSR reads the data on the card’s magnetic stripe (more or less the same as the numbers embossed on the card), translates it to plain text, and sends it on to the connected computer.
Once that plain text arrives at the computer to which the MSR is connected, it is vulnerable! Avoid the conventional MSR if at all possible.
Instead, opt for the encrypted MSR. This device encrypts the data as the card is being swiped, using a unique key that is injected into the device at the time of manufacture or configuration. As soon as a card swipes past the head built into the device, the data is encrypted. A properly configured, secure payment application transmits this encrypted data off to the payment processor for decryption and processing. If things are done correctly, this data cannot be decrypted anywhere in between – this is called End-to-End-Encryption, or E2EE.
2. Invest in a real firewall.
There is little reason to lock your front door if the walls of your house have already been blown down.
Firewalls are your first-line-of-defense against data breaches. Make sure your firewall is live and configured properly. And real! Every $79 (and less) router you can pick up at your local grocery store has the word “firewall” on the back of the box – that’s not what we’re talking about here. Entire industries have sprung up around payment security, billions of dollars are spent every year trying to keep payment data safe – believe me, inexpensive routers and firewalls are just not going to do the same thing.
If you think that your daily transaction volume is low enough to escape targeting, think again. Attackers use Bots to suss out vulnerabilities across networks, accessing and storing credit card information from many compromised systems at a time. Small businesses suffer the majority of these kinds of breaches.
Choosing and maintaining a reputable, reliable firewall keeps the Bot army at bay.
3. Take PCI compliance seriously
Just because you self-assess, doesn’t mean you should let yourself off the hook.
For example, if you have a wireless network for your guests or even for your employees, make sure it is not on the same network at your payment system! Checking the “Yes” box on the PCI SAQ D form on part 1.2.3 is easy enough, but if you don’t actually have that firewall in place, you’re running a real risk!
Customers love wireless access – it is fast becoming part of the fast-casual landscape, but just because you can drop a few dollars on the latest Wi-Fi hardware on Amazon, plug it into some box in the back of your restaurant and make it work, does not mean you should do it! Quite the opposite! Restaurant operators who process payments on networks that are available to public access, either by choice or accidentally, learn the hard (and expensive) way that guests and attackers are equally as happy to partake in the internet free-for-all.
PCI guidelines are in place for a reason. Comply with them to avoid liability. Use that SAQ D form every quarter for what it was intended – a rigorous health check up on your security!