The credit card industry has begun to penalize restaurants that do not follow proper security precautions.
The credit card industry has been coming down hard on tens of thousands of restaurants that have not sufficiently protected diners’ credit card data from potential theft, with Visa, Mastercard and financial institutions that process electronic payment over recent months sending warnings letters and holding seminars. Such moves are aimed at forcing restaurants into taking additional steps to guard credit card information.
According to companies that process card transactions, tens of thousands of eateries are not complying with credit card industry security rules. Any company that takes plastic is required to follow a set of security regulations instituted by Visa, MasterCard, American Express and Discover.
Data recorded by Visa indicates that since January 2005, restaurants made up around 40 percent of incidents in which criminals gained unauthorized access to credit card information — accounting for the largest percentage of incidents for a merchant category.
Separately, AmbironTrustWave, a Chicago-based data security auditor for merchants, reported that 62 percent of the security violations it witnessed during the prior 18 months occurred in the restaurant industry.
The violations involved various security lapses such as poorly guarded wireless networks — which enable thieves to access information from the parking lot using a laptop — and lax systems that make it possible for unethical employees to grab credit card information.
Consumers often are unaware when their credit card information is in danger. Not all security breaches produced successful fraud, and most merchants do not acknowledge incidents unless there is a significant likelihood that a major fraud will take place or has already been identified. In addition, credit card issuers usually do not close a customer’s account unless fraud has taken place.
Restaurateurs may have a tough time with credit card security rules, since the regulations can be difficult for smaller merchants. The National Restaurant Association trade group says that it hears from restaurant owners who thought they complied with rules, but found out their systems were not functioning properly and were penalized.
Fines for restaurants that violate credit card industry rules by storing credit card information have amounted to more than $100,000 in some cases. In 2006, Visa fined merchants across all categories $4.6 million for security violations, an increase from the $3.4 million in fines the previous year.
Visa, which declined to provide a breakdown of merchant types, said it recently held special security briefings with several hundred restaurants, a merchant group Visa believes needs additional attention.
At the same time, companies that process credit card transactions are also turning up the heat on restaurants. These companies have threatened to end services to those that do not follow security regulations.
Credit card companies are especially worried about specialized software restaurants use, which combine such features as tabulating bills, delivering orders to the kitchen and tracking reservations. Since credit card companies cannot require software makers to abide by their security rules, they instead apply pressure to restaurants. Visa maintains a list on its website of software programs that meet its requirements.
But software makers that even with the best software, restaurants could be in trouble of they lack ample password protection or firewalls. Software companies say it is not up to them to let restaurateurs know what they must do to be in compliance with credit card rulers.