Like much of the hospitality industry, restaurants have also undergone widespread transformational changes to keep up with the digital age. As a result, innovations such as kiosks, ordering apps, artificial intelligence, and loyalty programs have changed customer preferences for personalized and faster checkout experiences.
It’s a foregone conclusion for restaurants to also have a website that lets diners place online orders. Based on the convenience it offers, the restaurant industry sector has been forecasted to reach $281.68 billion by 2021. The accelerated growth spurt, driven mostly by digitally tech-savvy consumers, particularly Gen Z and Millennials, exposes restaurants to new attack vectors.
From the recent data breach of Domino’s customer data to infected cash registers at some Tim Hortons locations, the threat of a malware attack is very real. Some threat actors aren’t always looking for money. Most are often in search of customers’ personal information, including credit card details, they can exploit at a later stage.
Besides the obvious reputational damage to your business (since you are legally required to notify customers about potential data breaches), you may face fines for failing to protect credit card information.
The vast majority of data breaches can be prevented by taking a few simple steps. We’ve outlined the most important ones after consulting with cybersecurity experts in the restaurant industry.
1. Ensure PCI Compliance
Payment Card Industry (PCI) compliance refers to a set of rules restaurant owners must follow before they can process credit cards. The goal is to provide an extra layer of security to your diners so they can feel safe when their card runs through your terminals.
You can combine your organization’s existing cybersecurity program with PCI guidelines to thwart the possibility of a data breach.
2. Audit Your Vendors
Like most businesses, restaurants work with dozens of vendors on a daily basis to make their work easier. You probably have vendors for your food supplies, electrical works, cleaning services, and other needs. While it’s a good idea to hire these vendors based on quality of work and customer service, it is also important to look at their security practices.
One known pathway for threat actors is the use of third-party vendors who are plugged into your network without any proper boundaries in place. This pathway is usually the weakest security link to your network and can provide a point of entry into your systems, preventing you from serving customers or hold you for ransom.
So if you’re hiring a vendor that needs access to your network, vet them by asking the following questions:
- Do you have a security program?
- What firewall and security services do you use to protect your business?
- Are your security practices regularly audited by third-party companies? Can you provide us with their results?
The answer to these questions will reveal how seriously the vendor takes their security. If they don’t know the answer to these questions, keep them out of your restaurant network.
In 2021, vendor security for restaurants should be a key priority because great service shouldn’t come at the cost of a data breach.
3. Adopt EMV Chip Technology
EMV stands for its original developers (Europay, MasterCard, and Visa). This chip technology comes with safer payment methods such as cards and mobile phones with embedded microprocessor chips that protect credit card data.
It’s worth noting that the EMV standard goes by different names such as “chip and signature” and “chip and PIN.” The growth of EMV technology can be explained by the fact that it puts a stop to fraudulent transactions.
This is because chip cards make it virtually impossible for fraud organizations to target diners in restaurants. Ask your payment processor or POS provider about the steps you’ll need to make the transition.
Another reason to switch to this technology is the shift in liability. Restaurants that fail to invest in chip-enabled technology may be financially liable for card-related fraud that could have been prevented with chip and pin systems.
4. Point-to-Point Encryption for Credit Cards
Threat actors can gain access to credit card information if it has not been properly encrypted. However, most modern point of sale systems come with immediate point-to-point encryption to safeguard credit card information. The encryption masks the diner’s data using a special algorithm, making it unreadable without the proper key.
This end-to-end method is kept secure from the point of purchase until it reaches the intended destination.
Even if the hacker gains access to your network (which they should not), they will fail to decode anything of relevance.
5. Use Encrypted Wi-Fi Networks
Nearly every restaurant offers Wi-Fi - it allows diners to keep up with their social media and check emails. Unfortunately, public Wi-Fi networks are low-hanging fruits for hackers because of their lower security levels.
There’s also the added risk of an unaware restaurant employee configuring a secured network as “open," which provides easy access to cybercriminals.
Once in, hackers can simply sit and monitor the information going through the network.
You can put a stop to it by locking down your network with a strong password and being selective about who can access it. If you want to provide free Wi-Fi for your guests, do so by creating a separate portal for customers to isolate your POS systems.
Pro tip: Install a firewall to separate devices. A properly configured firewall can isolate malware-infected devices from infecting other devices on your restaurant network.
6. Conduct a Background Check of Restaurant Employees
It isn’t uncommon for employees acting in bad faith to use a camera phone to take a picture of the credit card for malicious use while it is not in sight. This is a potential security loophole that could jeopardize your reputation and expose you to financial penalties. Background checks can uncover potential red flags that can protect your staff from employees that may have bad intentions.
If you have recently installed a new high-definition video security system, monitor your employees to see if they are watching the security footage to glean card data from the videos. This has been known to occur.
7. Train Your Employees about Cybersecurity Best Practices
First things first: you should block off areas of your network that process sensitive information. This will make it harder for any malware to spread and limit different users to parts of the restaurant’s network they need to do their jobs.
Pro tip: By segmenting your network, you can keep parts of your data (such as POS transactions) isolated from third-party vendors.
Next, tell your employees (especially those handling customer data) about phishing emails. Most ransomware attacks occur when an unwary employee downloads attachments from infected emails. This email contains malware that can infect your entire network.
Your employees should know better than to click on emails and downloading attachments from unknown sources.
In addition, configure your POS system in such a way that it can log all activities with a unique identifier. This will allow you to track potential bad actors and identify fraudulent transactions.
Make sure to provide all staff members with complex passwords on different user accounts to access the POS system. Use two-factor authentication to further bolster the strength of your network.
Remember that it is your staff’s responsibility to keep the restaurant and its diners safe from data breaches.
8. Develop a Response Plan for Potential Data Breaches
Restaurateurs should not sit around and wait for attacks to occur. They should assume that it’s a matter of when, not if, hackers will target them. A response plan should be put in place to mitigate the damage and streamline communication in the event a data breach occurs.
This is important because it can take a long time for restaurants to identify a data breach. Breaches that take longer than 100 days to identify can cost organizations a lot more than breaches that take under 100 days to identify. When it comes to data breaches, time is of the essence to identify the attack and do damage control.
9. Get a Risk Assessment from Experts
A risk assessment or cybersecurity audit will provide you with a comprehensive review of your restaurant’s network infrastructure to identify threats and vulnerabilities. This audit should be conducted every few months by cybersecurity experts in the restaurant industry.
Once you take complete stock of your network devices, you can then trace what information is being transmitted and why. You can also make important decisions. For example, if a connection isn’t serving its intended purpose anymore, you can close that channel for good.
Optional Step: Buy Cyber Liability Insurance
Also known as Data Breach Insurance, it provides coverage to businesses after they experience data loss caused by a breach.
Although cyber liability insurance doesn’t prevent data breaches, it would allow you to protect your business. You may also get reimbursed for bank fees, fines, and penalties incurred due to the breach.
Your diners trust you with their money and data, and it is your responsibility to ensure you are doing everything you can to protect their financial data - and in doing so, your own business.
Learn more about cybersecurity in the restaurant industry at MenuCRM.