Article

Data security takes a layered approach

In 2009, 23 percent of the hospitality industry experienced a data breach, with restaurants and hotels leading the majority of cases. Here's how new data-protection solutions are trying to address operators’ top concerns.

October 24, 2010

By Tim Horton, Vice President of Merchant Product Management, First Data

Restaurant operators’ main areas of focus are usually on providing quality food and a memorable customer experience. However, memories of great service and food are quickly erased if a customer’s cardholder data is stolen.

Hospitality and retail industries have similar trends in data breaches involving payment cards used with point-of-sale (POS) systems. In 2009, 23 percent of the hospitality industry experienced a data breach, with restaurants and hotels accounting for the majority of cases, according to the 2010 Verizon and US Secret Service Data Breach Investigations Report.

Data security may seem overwhelming, but restaurants are not expected to act alone. The following approaches outline best practices and new solutions available to help thwart fraudulent attacks.

Understanding compliance obligations and risks

Restaurant operators that accept credit or debit payments are most likely required to comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was created in 2006 to establish minimum data security measures for organizations around the world that hold, process, or exchange cardholder information from any of the major card brands. These security measures are reviewed and revised on a rotating schedule, with the newest revisions scheduled for release this month.

PCI is not the only pressure point for businesses. Many states have enacted legislation that requires consumer notification of personal data breaches. The costs of notifications, remediation, consumer credit monitoring, legal defense and other aspects of a breach continue to rise. According to Ponemon’s 2009 U.S. Cost of a Data Breach Study, the most expensive breach cost a company nearly $31 million and the least expensive breach was recorded at $750,000.

The card processing ecosystem and risks

Vulnerabilities may appear almost anywhere in the card-processing ecosystem. This includes POS devices, PCs or servers, wireless hot spots, online ordering websites, paper-based storage systems and the transmission of cardholder data to service providers. Vulnerabilities can extend to outside systems operated by service providers and often lead to the exposure or theft of sensitive cardholder data, especially at the merchant level.

Every restaurant has different applications and computer systems that store sensitive cardholder data. Each business application outside of the POS that uses cardholder data expands the areas subject to compliance. Furthermore, these applications and their related storage and data flows are in scope for allPCI DSS assessments.

For instance, a restaurant has a loyalty program tracking customers’ purchases in another database that uses cardholder data to identify certain customers, track their spending habits and match them to different reward offerings. This stored data would fall under PCI DSS purview, and in most cases this restaurant would fail their PCI assessment.

However, new technologies can better protect customer data, while also allowing businesses to conduct everyday operations such as loyalty programs.

Tokenization and encryption - A layered security approach

New service-based solutions from major players in the payments processing industry address operators’ top concerns.

Technology combining end-to-end encryption (E2EE) with data tokenization provides enhanced security by protecting sensitive cardholder data from the point of capture through delivery to the payment processor, eliminating cardholder data from the operator’s environment post-authorization. With these two technologies in place, the data handled by an operator is far less vulnerable in the event of a breach, simply because encrypted or tokenized data is useless to a thief.

In the process of tokenization, cardholder data is sent to a centralized and highly secure server called a vault immediately after being authorized. A random unique number is generated and returned to the merchant’s systems for use wherever the cardholder data would be used. Essentially, credit card data has been removed from various business applications and replaced with a token. The token can be used by an authorized application to retrieve the stored cardholder data if necessary; otherwise, the business application simply uses the token instead of the cardholder data.

While encryption is a popular choice, already used by many restaurant operators and retailers, the use of tokenization is fairly new to most, with only a handful of merchants adopting tokenization to date.  However, a cross section of large to small merchants have now completed tokenization assessments through pilot programs and provided high marks on their experience. 

In June 2010, more than 150 merchants tested an E2EE and tokenization solution in a variety of point-of-sale (POS) environments. During the pilot, merchants processed card transactions and assessed multiple factors, including average latency time, which averaged less than one tenth of a second per transaction, and ease of implementation for merchant adopters, all of whom used existing POS terminals for the test.

The role of tokenization as part of PCI-DSS compliance guidance is expected to take a step forward when new revisions are released by the PCI Security Council in late October.  According to a Ponemon Institute and Thales 2010 PCI DSS Trends Report, 41 percent of Qualified Security Assessors believe tokenization will be included in the PCI-DSS updates as “the technology to increase cardholder data security and reduce cost of compliance.” 

Payment security is complex, with risks and vulnerabilities at every point of the processing chain. Unfortunately, there is no single approach to security that can totally prevent or eliminate card data theft and fraud. As criminals become more inventive in their methods of thievery, the risks and vulnerabilities for data increase, and security methods must evolve as well. Restaurant operators should bolster PCI DSS compliance knowledge and develop a proactive strategy to reduce and protect cardholder data—or the ramifications of a breach could become a reality.