VSAG on Watch: Protecting Against Credit Card Skimming

As seasoned restaurant consultants, our team has learned (sometimes the hard way) that if attention isn’t paid to, and proven business methods are not implemented in, the back office –there can be no front of house to welcome guests.

Enter: Lara Hardcastle. Our smart, savvy Vice President who makes it her business to keep our business, and our client’s businesses, running smoothly from technology perspective.

Case in Point. Taking note of recent warnings issued by the Payment Card Industry Security Standards Council (PCI) re: a projected increase of restaurant industry cashiers and servers with credit card skimmers.

“Theft is a major restaurant industry issue,” says Lara. “We all play a role in keeping our customers’ credit card data safe. As Managers on the front lines, it is our duty to ensure a breach never happens from within by one of our staff members or a client’s team member.”

What is Skimming? According to PCI, it’s the unauthorized capture and transfer of payment data to another source to purposefully commit fraud, to the tune of two billion dollars annually.

What to Look For? Skimming devices can be handheld (*see PCI photo below) or hidden imageswithin a  POS terminal/SIM card cover plate, and even as small as these elements are they can hold a significant amount of data.

Best Practices, include:

  • Location: identify risk factors and take measures to place terminals in open areas where infrastructure access can be monitored either by managerial staff or cameras
  • Security: assess terminal vulnerable areas such as implementing the latest connectivity/IT/wireless standards, individual data/purchases/updates, terminal disposal, PIN protection, and the like
  • Prevention: look to hire staff from reputable sources and utilize available resources from conducting background checks to checking references, etc.; make note of staff (i.e. new, inexperienced staff) that could be perceived as targets; use trusted referrals and resources whenever possible when employing outside vendors and purveyors
  • Identification: classify any threatened or compromised terminals immediately; notify appropriate agencies in order to minimize the impact, severity, and reoccurrence of attack(s)

Impacts of Skimming. Aside from the financial fraud to guest and merchant, lack of PCI compliance warns of additional, long term consequences, i.e. loss of employee trust, industry relationships, and consumer trust – all above & beyond actual loss of monies, and goods and services.  With the upcoming shift of liability from the processor to the merchant, the landscape is changing in enormous ways.

Knowledge is Power. Educate your team in skimming tactics and prevention. Encourage staff to come forward should they witness any indiscretion, ensuring them that all information will be handled in confidence.