The threat of cyberattacks is on the rise for restaurants and retailers across South Africa and a data breach that leaves millions of consumer credit cards at risk is a threat that no business operator ever wants to face. However, given the increased demand for customer-friendly payment technology, it is not something that businesses can ignore. Therefore, when offering card payments, it is advisable to proactively tackle the challenge of cyber security before a data breach can negatively impact the business and its customers’ privacy.
The risk of swiping
Most customers prefer the convenience of swiping a card rather than carrying cash for payments – whether at a restaurant or retail outlet. These electronic transactions put the money of each business and its customers at risk if the proper technology is not used. It is for this reason that credit card processing is one of the hottest scams for data thieves looking to access customer payment card information, as each credit card holds a value on the dark web, and this value is what criminals are after. If hackers manage to copy a million cards, it’s easy money to be made, and the easiest way to make that money is to target organisations that deal with thousands of credit and debit cards. The bigger the organisation, the more lucrative the target.
How do hackers do it? U.S chain restaurants recently learned this lesson the hard way after malware had been implemented within their Point of Sale (POS) systems. This allowed hackers to hit the jackpot, without having to be physically present on-site to do so. How can restaurants and retailers avoid this happening to them? The smartest strategy is creating a secure environment and to stay ahead of point of sale threats.
There are four essential steps that restaurants and retailers can take to create and maintain a secure business environment:
Step 1: Get compliant
All companies that accept, process, store, or transmit credit card information need to maintain a secure environment. PCI compliance adds an extra level of security so that retailers and customers can feel safe when using a card for electronic payments. The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules and best practices that measures the level of compliance required for various merchants. There are 12 requirements that need to be met to achieve compliance, and these are all aimed at controlling and protecting data, people and processes to ensure card security within the environment. Compliance is required, regardless of whether the store is physical or online.
Step 2: Protect payment data with credit card encryption
Although not the only option for protecting data, modern POS systems have the functionality that enables the immediate encryption of credit card information when the card is swiped, to ensure that the credit card transaction process securely, from start to finish. By taking care of encryption at the initial stages of the transaction, it’s possible to thwart the potential installation of malware on the POS devices. Encrypting a credit card number in the card reader hardware means that there’s now nothing of interest for hackers.
Step 3: Do not store credit card data
Retailers and restaurants need to make sure they store as little credit card data as possible. If, credit data is stored for any reason, making use of a solution that uses hardware security modules to encrypt data is advisable. These solutions are commonly known as End-2-End Encryption (E2EE) or Point-2-Point Encryption (P2PE), providing the highest level of security, from the payment point all the way to the bank. It is also a good idea to select a cloud-based POS system. The retailer will benefit from convenient features and ease-of-use, as well as the all-important fact that cloud-based POS systems are more secure than legacy POS systems when it comes to protecting data. Because the information is stored in the cloud, all sensitive information is stored off-site when transferred to the next step in the payment process, unlike legacy POS systems that store information in the technology itself, on-site in the retailer’s back office. Having customer card data on site is simply too risky, as it’s much easier for the wrong person to access the information than if it’s held safely off-site. By removing cardholder data, the scope is not only simplified but allows retailers and restaurants to achieve PCI compliance easily.
Step 4: Keep one step ahead of hackers by keeping technology up-to-date
While cyber threats are constantly evolving, so too are the technologies aimed at preventing their nefarious actions. It would be wise for retailers and restaurants to partner with an innovative technology company on their POS systems to ensure they’re always using the latest, most up-to-date security measures. Most POS companies work on a SaaS (software as a service) model, which means that retailers will benefit from the simplicity that comes from paying a fee to receive technical support and regular software updates. These updates are important as they generally offer performance enhancements and back-end security boosts by constantly working to protect customer information.
At the end of the day, it’s important for retailers and restauranteurs to remember when it comes to cybercrime, that it’s not a case of “if it happens”, but rather a question of “when will it happen?”. To protect the business’ reputation and the integrity of their customer’s credit card information, it’s important to take cyber security seriously. Deal with payment security proactively, rather than reactively, when it’s already too late.
By Simeon Tassev, Managing Director and QSA at Galix Networking