An independent audit of 100 of the top restaurant chains in the U.S. revealed that 80 percent of those chains have at least one unit putting customers’ identities at risk of theft., an online and mobile transactions firm, recently released its PCI Risk Rating Study, which found that a number of restaurants are in violation of PCI regulations. The violations involve employees who write down credit card numbers given to them from customers ordering over the phone.

Noah Glass, CEO of, says the firm set about to perform the study after learning how strict the rules are for call centers often used by retailers for credit card transactions.

“I heard [about] these guidelines, which are very strict and include not allowing people to bring in writing implements with them into the facility and incinerating all documents and shredding all documents,” he says. “I started to think about our restaurants, who oftentimes take in credit card information over the phone for takeout orders. “

Glass says the firm randomly selected five units from each of the 100 top restaurant chains in the U.S. as part of the study. The firm called each of these units to place a takeout order, and noted which of those units had employees offer to write down a credit card number, an action that violates PCI regulations.

Results of the study showed that 80 percent of the chains had one unit or more write down the credit card number. Chains with nationwide online ordering tools were three times more likely to be in compliance of regulations, and pizza chains had 31 percent fewer violations of PCI guidelines.

Violations of the PCI guidelines may be so widespread, Glass says, because chains often believe that simply having a company policy is enough to comply.

“Where the rubber meets the road, you really do have operators who are still taking credit card information over the phone, and I think that there’s been this sort of false comfort of, ‘Well we have a policy, so it’s not being done,’” he says.

“It doesn’t really work when you’ve had a breach and you’re liable for hundreds of thousands of dollars, to say, ‘We have a policy against it.’”

On July 1, 2010, stricter PCI compliance rules go into effect across the U.S., which Glass says has restaurant IT employees rushing to fix the holes. He says there are many ways restaurant chains can assure that no credit card numbers are written down within units, including increased usage of call centers or online ordering.

“There needs to be more of a formal process in place for taking those credit card details in the risk of somebody using those credit card details outside of the restaurant,” Glass says.

By Sam Oches

Legal, News, Ordering