1. Monitor devices connected to your wireless network
Updating your operating system sounds like a tech nuisance to most, however, as older systems may have security loopholes when not updated. Next, limit access to those devices with a PIN or passcode and train staff to only use those devices for business. A lot of times you may see your employees on the POS device browsing the internet and that is exactly how a lot of malware gets onto a network unintentionally.
2. Educate employees about phishing emails
The first thing some cybercriminals will do is attempt to send you or your staff phishing emails that can result in infecting the device it is opened on with malware. You and your Employees should be on their guard to avoid clicking on suspicious emails or attachments. Devices should have antivirus protection and malware detection software. It is highly suggested to set up two-factor authentication for things like vendor payments so it’s harder for crooks to authorize a fraudulent payment.
3. Examine your third-party vendors
Most restaurants work with at least one outside vendor such as an employee payroll service, online ordering app, or loyalty program. With any sort of third-party vendor that is going to have access to consumer payment information, make sure they are PCI compliant, that their security measures are equivalent to what would you have. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards requiring all companies (regardless of size) that receive, process, store or transfer credit card information to do so in a secure environment. For vendors with access to employee information, such as a payroll vendor, find out how that information is stored and protected. By managing third-party access privileges, those vendors can spend more time supporting customers while you can spend less time worrying about security issues.
4. Securely store passwords
Never store passwords in a Word document or on paper stored near a computer. It is recommended to use an online password manager such as Dashlane or LastPass. A password manager will provide logs of people accessing the password information, this helps with finding out who was the last one who went in there before there was a problem.
5. Employee background checks
The U.S. moved to EMV technology (credit card chips) a few years ago, while most other countries use the more secure chip and PIN technology. Another difference: in most other countries, restaurants process credit card transactions with a portable terminal at the customers’ table. In the U.S., most restaurant servers take credit cards from customers and process transactions behind the scenes. This is a potential security loophole because employees acting in bad faith can potentially use a camera phone to snap a photo of the credit card for fraudulent use while the credit card is out of sight.
6. Give each employee a unique identifier
Your POS system should be configured so that each server logs in with a unique identifier. That way, you can track patterns and identify potential bad actors if customers complain about fraudulent credit card use after visiting your restaurant. You can quickly see going back through the data if there are employees that pop up more often in cards that are breached.
7. Use a firewall to separate devices
A correctly configured firewall can (among other things) keep malware-infected devices from infecting other devices on your network. Your kiosks never need to print to your main office printer, so they should not be on the same network. The back-office computer doesn’t need to communicate with the credit card chip reader. Network bifurcation helps significantly.
PCI compliance and other aspects of cybersecurity can be complicated, so unless you’re a large restaurant brand with a staff person or department dedicated to cybersecurity, you may want to hire an outside firm to help you go beyond the basics outlined above.
Digital Security 101 and 201 recommend best practices for protecting data in restaurants.
Phishing, ransomware, “denial of service” attacks, and malware are only a few of the ways cyber thieves attempt to access and steal valuable data. Recovery is expensive—financially and in loss of reputation.
The National Institute for Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity with version 1.0 in 2014 and updated it to version 1.1 in 2018.