Don’t let credit card fraud put you out of business
Experts explain how to protect yourself—and your customers—and stay ahead of the PCI compliance curve
The topic may be considerably less thrilling than dreaming up your next lobster-topped specialty pie or social media campaign, but failing to protect your customers—and your business—from credit card fraud can be downright disastrous for an independent pizzeria. Not only will it destroy your restaurant’s reputation among your most loyal customers, it could put you out of business through exorbitant fines related to PCI compliance. You could also be held responsible for absorbing costs associated with fraudulent credit card use if you don’t accept the chip-enabled EMV credit cards that have been rolling out in recent years.
Sounds serious, right? Fear not—we asked experts in the field of payment technologies to help us sort through the quagmire of compliance in layman’s terms. With a little help from your POS provider and with the right equipment in place, you can stay ahead of the PCI curve.
The Payment Card Industry (PCI) Security Standards Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa. The cornerstone of the organization is the PCI Data Security Standard (PCI DSS), a system of processes and rules to protect cardholders and businesses from credit card fraud—a major yet often overlooked problem among small operations, according to Robert Martin, vice president, security solutions, of Ingenico Group, based in Alpharetta, Georgia. “The DSS has requirements regarding the use, storage and transmission of that data, with the intent of keeping cardholder data out of criminal hands,” he notes. “Large merchants having data collected by criminals and resold makes headlines, but small merchants are being breached every day because they’re not adequately protecting data or are using older systems. All of the systems that handle credit card data need to have adequate protection.”
Jyothish Varma, director of security solutions at Atlanta-based EarthLink, says small business owners need to get caught up on PCI compliance quickly. “If you’re accepting credit cards at your pizzeria, you have to make sure the card data is protected and not out there in the hands of hackers,” Varma explains. “PCI compliance means you have proper protection and safeguards in place that protect the customer information—specifically, the credit card information—and the PCI Council has created guidelines for merchants to follow.”
Many pizzerias deal with “card-present transactions,” meaning the customer swipes or inserts the card in person. Standalone terminals that process credit cards often send info directly to credit card companies, helping it remain protected. But there are other requirements for manual entry (phone or fax orders) as well as online ordering. “For these kinds of orders, the info may be stored on your POS system or even in a database through the life of the order, and there’s a whole set of requirements associated with that,” Martin says. “You can’t just throw a fax with credit card information in the trash, for example.”
Accepting chip-enabled credit cards protects payment data and helps you verify that the card is legitimate, not counterfeit.
Solving the PCI Puzzle
Unfortunately, experts agree that small business owners, such as pizzeria operators, often don’t protect their customers’ vital information. Making matters more complicated, Varma says the PCI guidelines are updated about every 12 to 18 months based on how technology evolves (indeed, Martin notes that the big breaches of 2013 were due to criminals upping the bar on how they attacked). The PCI divides merchants into different tiers, from level one to four, depending on how many transactions are completed per year (many mom-and-pop shops will fit into level four). Regardless of your level, however, customer data must be securely stored—with appropriate firewalls when necessary—to keep info out of a thief’s hands. “For example, the network that customers use to connect to WiFi should be different from the network that’s processing credit card transactions,” Varma says. “Other guidelines require the merchant to scan his network on a quarterly basis to ensure no security vulnerabilities in the system.”
Merchants can fill out a self-assessment questionnaire (SAQ) from the PCI Council (pcisecuritystandards.org), but many operators are confused by the complicated technicalities—not surprising, as the organization’s glossary of terms alone fills 23 pages. “The question is, how much does the business owner understand what’s in the SAQ?” Martin asks. “They’re in the business of making pizzas, not securing their networks.” Credit card companies are trying to solve the challenge by requiring the use of payment systems—such as a PCI-compliant POS system in a pizzeria—through a certified installer. This would allow the merchant to have confidence the system has been installed appropriately and up to security standards. Martin also suggests working with your merchant services provider and/or your POS system vendor to determine how to appropriately protect and secure the system.
You’re Not Alone
If it all sounds outside your realm of knowledge or interest, you don’t have to struggle through this alone. Third-party companies like EarthLink, Trustwave and SecureWorks (to name a few) can help merchants become PCI-compliant for a nominal monthly fee, and some even provide insurance in case of breaches. They can also help you set up a PCI-compliant firewall, PCI-compliant Virtual Networking Computing tunneling (for merchants with multiple locations), or routing info directly to payment processors to protect data. These companies can even assist with employee training—such as how to maintain secure transactions if your POS system goes down—so that credit card info is protected.
Before you shrug off the need for compliance—and many restaurant operators have been doing just that, at their own risk—keep in mind that penalties for noncompliance with PCI requirements can reach into six figures. That can be catastrophic to a small pizza operation. And there are other risks, such as “destruction of a brand,” says Eric Hyman, vice president of product management for EarthLink. “Your customers are going to be hesitant to do business with you if you’re not secure. You can have a huge drop in revenue or, frankly, be out of business.”
Another way to protect yourself from credit card fraud is by using specialized readers to process chip-enabled cards, also called EMV (an acronym that stands for its creators: Europay, MasterCard and Visa) technology. This technology features payment instruments, such as credit or debit cards, with embedded microprocessor chips that store and protect cardholder data. It’s also called “chip and PIN” or “chip and signature” technology. (In Europe, “chip and PIN” cards, which require PIN entry, have been de rigueur for years, but in the States, “chip and signature” is much more common.)
“Payment data is more secure on a chip-enabled payment card than on a magnetic stripe,” notes credit card giant Chase. “Data from a traditional (magnetic stripe) card can be easily copied (skimmed) with a simple and inexpensive card reading device—enabling criminals to reproduce counterfeit cards.”
Hence, Martin explains, while PCI compliance is meant to protect credit card info from theft in the first place, the chip-enabled EMV cards offer a better way to prevent credit card fraud by those who have already stolen that information (i.e., by creating fake credit cards). “EMV is all about authenticating the card or cardholder,” Martin says. “One set of criminals captures card data, and another set buys that data to use it personally or resell. So EMV protects merchants from the fraud already out there, while PCI protects them from being the source of fraud.”
Sticking with the old-fashioned “swipe and go” payment method makes consumers more susceptible to credit card fraud.
The card’s embedded chip, using cryptographic techniques, demonstrates it’s a valid card. The chip can only be processed by an EMV-enabled card reader (although most bank cards themselves still come with both the chip and the magnetic stripe for swipe-and-sign card readers). Lost and stolen cards remain a possibility, but Martin says these are much less common than counterfeit cards. However, because the chip eliminates much of the fraud in card-present transactions, it’s imperative to protect your online ordering systems as well, because info thieves will now head there instead. “Criminals may not be targeting Joe’s Pizza website today if they can get to its POS system, but if they can’t get to [the POS] tomorrow, they may go after its website,” Martin warns. “Criminals don’t go out of business; they just change the way they attack. You’ll also need to make sure your online ordering system protects consumers’ data.”
Accepting EMV offers additional incentives to the merchant, according to Chase: New programs waive a merchant’s annual PCI-DSS audit if 75% of the card’s transactions are processed through an EMV-certified device. On the other hand, the “chip liability shift” states, “Merchants who have not made the investment in chip-enabled technology may be held financially liable for card-present counterfeit and potentially lost and stolen fraud that could have been prevented with the use of a chip-enabled POS system.” Instead of the credit card issuers taking the hit for credit card fraud, as of October 2015, merchants will now be held responsible for covering those costs.
In other words, the days of simple card swipes will wane in the years ahead. Merchants should purchase EMV-capable card readers (standalone or integrated with your POS system) that are loaded with certified software to read the chip and communicate with the card issuer. Ask your provider what EMV readers and terminals it supports and what software upgrades you need to support EMV transactions and an EMV device, Martin suggests. “The requirements of merchant compliance through PCI and EMV are about protecting their consumers and protecting their own businesses,” Martin concludes. “It adds some extra steps for the operator, but you wouldn’t go without fire extinguishers!”