Small restaurant operators often have to take on many different roles to run a successful restaurant. So it's no surprise that data security, a vital operational component, is often overlooked due to its complexity. But it's important that operators look into dedicating resources to minimize risk and potential reputational damage.
In 2009, 23 percent of the hospitality industry experienced a data breach, with restaurants and hotels accounting for the majority of cases, according to The 2010 Verizon and U.S. Secret Service Data Breach Investigations Report. If your restaurant accepts credit or debit payments, you're most likely required to comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was created in 2006 to establish minimum data security measures for organizations around the world that hold, process or exchange cardholder information from any of the major card brands.
The best way to be PCI compliant is to remove all cardholder data from your systems completely. While this process can feel overwhelming, businesses are not expected to act alone in attempting to contain and even reduce the cost of their PCI compliance.
Becoming PCI compliant may mean incurring new costs, but finding the right resources and technology can greatly reduce incurring unnecessary costs. By following a few key principles, you can simplify compliance. Consider these points:
Talk to your acquiring bank or knowledgeable business payments advisor. They may have resources to help you achieve and maintain your compliance.
Reduce your vulnerabilities. Every computer system, filing cabinet or application that uses or stores sensitive card data falls under PCI compliance purview. If possible, limit data usage to applications directly pertaining to payments (e.g. transaction authentication, daily settlements).
Weigh your technology decision carefully. Look for flexible, technology-agnostic solutions — ones that work with your system regardless of your POS hardware, card association or processing relationship. Also look for solutions that effectively remove data from your environment while allowing access when needed.
Minimize your PCI compliance scope. Seek out layered solutions that include end-to-end encryption and tokenization. This unique solution uses a “layered” approach of combining technologies designed to dramatically reduce the cost and complexity of complying with PCI DSS requirements because it encrypts and then removes the cardholder data completely from your systems.
Make a long-term commitment. Develop a thorough, proactive compliance strategy to protect your business's future. Protecting customer card data requires an ongoing effort.
Investing in data security measures can help safeguard your business even as it protects customer data. High-profile data breaches serve as a reminder that the cost of prevention is likely far less than the potentially devastating risks of a data breach or other major violation.
Fortunately, resources are available to help businesses reduce the cost and complexity of PCI compliance so you can focus on cash flow, profitability and customer service.
Unfortunately, there is no single approach to security that can totally prevent or eliminate card data theft and fraud. As criminals become more inventive in their methods of thievery, the risks and vulnerabilities for data theft increase, and security methods must evolve as well. You must bolster PCI DSS compliance knowledge and develop a proactive strategy to reduce and protect cardholder data — or the ramifications of a breach could become a reality.
Tim Horton is v. p. of Merchant Product Management for First Data, a company dedicated to making payment transactions safe and secure.