• NRA
    NRA We Serve America's Restaurants Representing nearly 500,000 restaurant businesses, we advocate for restaurant and foodservice industry interests and provide tools and systems that help members of all sizes achieve success.
  • NRAEF
    NRAEF Building & Retaining Talent The NRAEF is focused on developing a stronger workforce and building the next generation of industry leaders through education, scholarships and community engagement.
  • NRA Show
    NRA Show May 17-22, 2018 As the international foodservice marketplace, the NRA Show provides unparalleled opportunities for buyers and sellers to come together, conduct business and learn from each other.
  • ServSafe
    ServSafe Minimize Risk. Maximize Protection. For over 40 years, ServSafe® training programs have delivered the knowledge, leadership and protection that have earned the trust and confidence of business leaders everywhere.

National Restaurant Association - Essentials of restaurant data security and how to protect against a breach

Skip to navigation Skip to content

Payments HQ

Essentials of restaurant data security and how to protect against a breach

Data compromises have become commonplace. In the first nine months of 2014, there were 904 million records compromised in 1,922 confirmed incidents for businesses accepting credit and debit cards in the United States. Many of the incidents involved record-setting amounts of data, including 20 incidents that compromised more than 1 million records each.

What constitutes a breach?

The most common way that thieves steal this type of card data is by hacking into cash registers and POS systems at restaurant locations and planting malicious software that surreptitiously records magstripe data when cards are swiped through the machines.

What is the cost of a breach?

A 2014 Ponemon study found that the the average cost for each lost or stolen record containing sensitive and confidential information increased from $188 in 2013 to $201 in 2014. The total average cost to involved organizations increased from $5.4 million to $5.9 million.

What is a business’s chance of a card breach?

Verizon issues an annual report on data breaches. The chart below summarizes their findings.

PCI and the cost of compliance

Mandated by the card companies since June 2001, the Payment Card Industry Data Security Standard (PCI DSS) specifies a broad range of technical, administrative and physical security controls for businesses that accept cards. While the PCI DSS is made up of only 12 main requirements, they are divided into more than 200 sub-requirements—all of which must be satisfied to achieve full compliance.

When surveyed by Gartner in 2008, the biggest card-handling companies—the Tier 1 merchants, which Visa classifies as those processing more than 6 million transactions annually—had an average PCI compliance setup cost of $2.7 million, a significant outlay considering it doesn’t include ongoing services. Just two years earlier, similar research found Tier 1 implementation costs were just $568,000. Yet with significant annual spending to maintain PCI compliance, many Tier 1 businesses such as PF Chang’s, Target, Neiman Marcus and others succumbed to data breaches. Clearly, PCI compliance alone is not enough to eliminate the risk of card breach.

EMV and security

EMV improves the security of payment transactions in three areas:

  • Dynamic card authentication protects against counterfeit cards;
  • Cardholder verification using PIN authenticates the cardholder and protects against acceptance of lost and stolen cards if a merchant chooses to use PIN technology and it is supported by their processor and bank;
  • Transaction authorization using issuer-defined rules to authorize transactions reduces the chance for transaction interception or “man-in-the-middle” attacks.

However, EMV does not encrypt the cardholder account number or discretionary data that hackers can steal and monetize. While stolen EMV card data cannot be used to create a counterfeit magnetic stripe card, it can be used for card-not-present transaction fraud such as e-commerce. Merchants that experience a breach of EMV card data that is used fraudulently are liable for that misuse. Additionally, each EMV card issued in the U.S. will carry a magnetic stripe that can be skimmed and used to create a magnetic stripe card. While that counterfeit card cannot be used at an EMV-enabled terminal or PIN pad, it can be used at a non-EMV device and processed successfully. Visa, the largest card brand in the U.S., has stated that there is no “sunset” date for magstripe.

The National Restaurant Association does not consider EMV alone a strong motivation for restaurants to make changes to their systems and business. However, the NRA strongly endorses encryption and tokenization to secure card data to significantly reduce risk, and some processors provide these state-of-the-art measures and include EMV capabilities.

Encryption

Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable. The PCI SSC states, “Encrypted data may be deemed out of scope if, and only if, it has been validated by a QSA or ISA that the entity that possesses encrypted cardholder data does not have the means to decrypt it.”

If a merchant encrypts cardholder data but does not possess the means to decrypt it, the cardholder data is not considered in scope once it has been encrypted. The best means to encrypt cardholder data is within a terminal or PIN pad that is PCI PIN Transaction Security (PTS) certified.

1. An encrypted PAN (Primary Account Number) is still defined as cardholder data and in scope for PCI DSS compliance if the merchant has access to the key and ability to decrypt data

2. If a merchant has no ability to decrypt encrypted data, the encrypted data is not card data and is NOT in scope of PCI

3. Systems that transmit, process and store such encrypted data are not in scope

4. Encryption removes clear text card data at point of entry to eliminate PCI scope risk

5. By removing clear card data from the merchant’s environment, the opportunity for monetization of the card data is also eliminated

Tokenization

Tokenization replaces sensitive data such as credit card numbers with tokens, and is one of the data protection and audit scope reduction methods that is recommended by PCI DSS.8 The use of tokens for post-authorization operations such as returns, chargebacks, recurring payments, sales reports, analytics or marketing programs eliminates the storage of the PAN and subsequent use of the PAN. Tokenization takes applications and systems for these business processes out of PCI scope.

In summary, while PCI compliance is important and required, it’s all about risk management. When you remove clear-text card data from your network, you reduce the risk of card data being stolen while reducing your PCI DSS scope and cost. EMV and encryption remove the ability to monetize card data through verification and encryption. Encryption and tokenization remove card data from the businesses. Encryption eliminates the risk of monetizing stolen card data. Encryption and tokenization reduce a merchant’s PCI scope per the Coalfire study.

This content was provided by Heartland Payment Systems, the National Restaurant Association’s only endorsed provider of secure card processing, payroll and loyalty-marketing services.


Tokenization FAQs

Tokenization is the process of replacing a card’s primary account number (PAN) with a unique alternate card number, or “token.”

Founding Content Partners

We're glad you're here!®

® 2012-2013 National Restaurant Association. All rights reserved.

2055 L St. NW, Suite 700, Washington, DC 20036
(202) 331-5900 | (800) 424-5156