By Tia D. Ilori, Business Leader, U.S. payment system risk, Visa Inc.
First, the bad news: According to Visa data, restaurant compromises have steadily increased over the past three years. In 2011, restaurants accounted for 73 percent of all breach incidents in the U.S., far outweighing any other category.
The good news is that most of those attacks were preventable. Based on Visa’s review of fraud trends, we see three important areas that restaurants can address to help significantly reduce their vulnerability and mitigate data compromise.
1. Change default credentials and passwords.
It’s a piece of common sense that you’ve heard countless times, but the reality is that exploiting weak and default passwords continue to be successful strategies for criminals. Vendor set passwords are not secret. In fact, it’s common for the vendor’s default credentials and passwords of popular off-the-shelf software applications, including payment applications, to be searchable online.
To guard against this vulnerability, make a list of the default IDs and passwords for all your payment devices and software. You can look these up in the vendor manual or call your vendor. Change these default settings immediately to IDs and passwords that are hard to guess. In addition, all businesses – including restaurants – should have a strong password policy in place, requiring user passwords to be changed at a minimum every 90 days and strength criteria such as minimum password lengths.
2. Secure your remote management applications.
Some franchisors, point-of-sale vendors, resellers or integrators may choose to use a remote management application (RMA) to manage a restaurant’s payment applications across multiple locations. If you choose to use an RMA, make sure you’re not leaving the back door of your payment network “unlocked.”
When setting up your RMA, create unique user IDs and strong passwords for each location. I covered this in the section above, but it’s worth repeating since leaving the default settings for your RMA unchanged presents a big security risk to all the locations that are connected through the application.
If your business has an outward-facing IP address (these are internet-facing entry points to your network), it is essential to implement a firewall. This is an added layer of security to keep unauthorized users out of your network. As added protection, you can configure your service to restrict connections to known devices.
Lastly, ensure that the restaurant's modem remains turned off except those times when it is needed to access franchisors or payment vendors. After all, if it’s not needed, why run the risk?
3. When working with a third-party payment application integrator or reseller, ask questions.
Third-party integrators and resellers exist to make a restaurant owner’s life easier by selling, installing and assisting in the maintenance of a restaurant’s payment applications. But, improper installation could lead to significant security weaknesses and it’s the restaurant operator, not the vendor, who is ultimately responsible for making sure the restaurant’s payment environment is secure.
Make sure that the third-party you’re working with is providing software that is compliant with the Payment Application Data Security Standard (PA-DSS).
Don’t be afraid to ask questions. Make sure you have a basic understanding of how your payment system was installed. Here are five important questions to ask your vendor:
- Does the payment application I’m using store cardholder data?
- Does my network have a firewall installed to protect my point-of-sale system from unauthorized access?
- Can you confirm that you did not use common or default passwords for my system?
- Have all unnecessary and insecure services been removed from the systems and databases that are part of my point-of-sale system?
- Does my payment application receive software updates in a secure manner?
Visa has created a number of resources for merchants to learn more about data security best practices, which are available at www.visa.com/cisp. The company also has its Business Guide to Data Security, which provides additional information and checklists for merchants.
In the coming weeks, Visa also will host a Data Security and Authentication Symposium. The complementary event will be held June 6, 2012, in Foster City, Calif. Restaurant operators are invited to attend to learn more about data compromise and security trends.
Read more about PCI compliance.