Every merchant that accepts credit and debit cards is required to be compliant with the Payment Card Industry (PCI) Data Security Standards (DSS), whose next set of standards will be released in October 2013. Yet despite these compliance requirements, the food and beverage industry had the highest percentage of data security investigations—at nearly 44 percent—for the second consecutive year, according to the Trustwave 2012 Global Security Report. In fact, industries with franchise models are the new cyber targets: More than one-third of 2011 investigations occurred in a franchise business, according to the report.
Layered security provides safety as Universal Commerce—which is integrated, personalized, secure, open, and smart—moves consumers away from traditional payment methods to new forms such as mobile wallets. As technology gets increasingly sophisticated, so do criminals’ methods of committing fraud; therefore, it is increasingly vital for quick-service restaurants to put time and investment into compliance and security. While PCI compliance can seem overwhelming, today it can be achieved and maintained easier, faster, and more affordably with the right tools and resources—such as encryption, tokenization, and online compliance solutions—to protect payment data while it is in use, in transit, and at rest.
The layered approach: encryption, tokenization, and EMV
Layering security adds an extra step of work for cyber thieves who are trying to steal sensitive card data. For example, encryption refers to algorithmic schemes that encode plain text (for example, a card number) into a non-readable form called ciphertext; it is an increasingly critical measure that businesses can take to protect cardholder information as soon as the data is captured. If a quick serve only encrypts its customers’ information, a thief only has to unscramble the card data in order to access it.
Complementing data encryption with tokenization enables merchants to remove sensitive card data from their applications and storage systems. It replaces valuable information, like a cardholder’s primary account number (PAN), with a “token” that retains many of the required properties of the original data, but removes the elements that carry risk.
Tokens reduce risk and PCI compliance obligations because the merchant is not storing or using account data that can be monetized if stolen. They allow safer long-term storage of transaction information that can be used to support back-office operations and analyze customer behavior.
Beyond keeping track of current data security options, merchants need to keep up to date on emerging fraud-prevention technologies such as EMV smart card adoption. EMV refers to a set of global fraud reduction technology standards that ensure payment applications using chip-based cards are compatible around the world. A chip-based payment transaction occurs when microprocessors embedded in plastic cards or mobile phones connect to an EMV-enabled POS terminal, either contact or contactless, in order to execute a payment. With smart card technology, the data on the chip ensures the card is authentic, and the PIN or signature ensures that the person presenting the card is the rightful cardholder, validating the payment and reducing risk.
Beginning in 2011, the major card networks (including Visa, MasterCard, Discover, and American Express) issued EMV implementation roadmaps for merchants, acquirers, issuers, and ATM operators. Merchants should begin developing strategies for full implementation. Potential strategies include updating their POS terminals to accept both contact and contactless chip transactions and determining if they will switch to chip-based prepaid cards in tandem with mainstream smart card payments options.
Knowing that, according to the Trustwave 2012 Global Security Report, restaurants typically operate on a 3–5 percent pre-tax profit margin, taking the time now to assess what a smart card payment enablement plan would look like can help quick serves prepare for implementation costs down the road.
It is important for merchants to do their best to protect their customers’ data to prevent the consequences of a payment card data breach. PCI standards, designed to reduce fraud and increase security, traditionally had the reputation of being a burden on merchants. However, with the right tools, staying PCI compliant and reducing fraud is not all that time consuming or difficult. Companies such as First Data offer various solutions to help merchants get and stay on the right track. For example, the PCI Rapid Comply solution is an easy-to-use online self-assessment questionnaire (SAQ) and integrated vulnerability scanning tool that can help small to mid-sized operators achieve and maintain PCI DSS compliance.
Security’s role in the future of commerce
In the evolving world of Universal Commerce, taking the necessary steps to prevent fraud is even more essential for quick-serve operators.
Consumers’ interest in technology will continue to grow and restaurant operators should recognize that technology can enhance the customer experience and lead to increased revenue and repeat business. In fact, at quick-service restaurants, 44 percent of consumers say they would use self-order terminals; two in five would use smartphone apps to place orders or view menus; and more than one-quarter would use mobile payment options, according to the National Restaurant Association’s 2013 Industry Forecast. Today, less than 2 percent of quick serves offer these technologies, but 48 percent say they plan on investing more in customer-facing technology this year, according to the Forecast.
Fraudsters keep pace with technology, so merchants need to do their best to stay a step ahead. Operators must continue looking for flexible systems that support a scalable approach and should weigh technology decisions as part of a dedicated effort to secure sensitive information and address evolving business strategies. Proactively implementing a thorough approach will enable merchants to shift more focus to business objectives such as cash flow, profitability, and customer service.