When you say to the waiter, "No, I'm going to pass on the tiramisu, but I'll take the check," you hand over your credit card to the server and he disappears for five or 10 minutes before returning with your bill and receipt. What happens to your credit card in those moments is often a great mystery to us. Unlike a retail store or online purchase, we never see what the wait staff does with our card. Unfortunately, in some cases, they're making a duplicate imprint so they can ruin your credit.
Several restaurant chains are moving to stem this form of identity theft. Legal Sea Foods, for instance, is deploying portable point-of-sale (POS) devices in its 34 stores so diners won't ever have to let their credit cards out of their sight. "When we rolled it out, some people were offended by it or intimidated," Roger Berkowitz, Legal Sea Food's chief executive, told The Boston Globe. "People are there to relax and have a good time, so there is a little bit of a fine line. But given the furor over credit-card protection, we're definitely starting to see more people wanting to experiment with it."
Ruby Tuesday, which has 900 restaurants nationwide, is implementing a system that will digitally shred all pertinent information immediately after a credit-card transaction is cleared. Within moments of a card clearing the bill total, the personal identifying information is purged from Ruby Tuesday's system. No real danger of exposure, except for the blue-haired waiter who took your card to the backroom kiosk for processing.
Scores of other restaurant chains are exploring similar means for protecting customers' credit-card information. This is good news for solution providers, since POS equipment sales and service has tremendous demand potential in the channel. However, are either of these approaches the right way?
Think about it this way: Wait staff making impressions of credit cards is the equivalent of sniffing packets on an open line or wireless connection hoping to intercept some valuable information. Does packet sniffing happen? Yes, but it's not very efficient. Legal Sea Foods may stop a few dozen people from having their credit cards compromised, while Ruby Tuesday will protect thousands.
Here's why, and it goes back to why Bonnie and Clyde robbed banks: "Because that's where the money is." The real cache of valuable information is in databases that contain tens of millions of records. Why go after the occasional individual transaction when you can crack a database that has millions of virgin credit-card numbers?
That's exactly what a group of hackers did to TJX, the parent company of such discount retailers as TJ Maxx, Marshalls and HomeGoods. A group of hackers installed what were probably rootkits and Trojans on the retailer's network at various locations, siphoning off nearly 46 million credit-card numbers over the past five years. It could be the single largest credit-card breach ever, nearly double last year's compromise of 26.5 million veterans' information. (For the record, I was affected by the Veterans Administration breach and will likely be by the TJX compromise.)
Security is about building synergistic systems that work in concert to prevent breaches. Solution providers need to pick vendors that have the right tools for encrypting data, maintaining access control, guarding stored data and detecting unusual activity. Many vendors in the wake of any identity theft incident will race to tell the world how they have the silver bullet. You should see the e-mails I've received after the TJX incident broke. The reality is no one product, technology or approach will prevent a security breach.
Solution providers are in the best position to take the available tools to build "appropriate" defenses. I say appropriate defenses because sometimes responses to such trends as identity theft is nothing more than giving people the perception that something is being done to improve security. If other restaurants follow Legal Sea Food's lead and bring POS to the table, it won't do much to protect the credit-card numbers from being compromised once they land in the database. However, portable POS will do two things: give solution providers another sales opportunity and make dining checkout a little faster.
How are you helping your customers prevent identity theft? What approaches and technologies work best to stop security breaches? Send your thoughts to Larry.
| • |
| • |
| • |
| • |
| • |
| • |
| • |
|
|
