How Restaurants Can Mitigate PCI-Related Cyber Risks

As the role of consumer data expands across industries, the threat and consequences of cyber-attacks and data breaches grow more pronounced. The restaurant industry is no exception. In 2018, several large restaurants were subjected to such data compromises, including Dunkin’ Donuts parent company Dunkin’ Brands Inc., as well as Panera Bread and Cheddar’s Scratch Kitchen. Additionally, food and beverage companies were subject to nearly 10 percent of all data compromises in 2017, according to Trustwave’s Global Security Report, meaning many restaurants’ supply chains are vulnerable to interference. Data breaches are not only harmful to a restaurant’s operations and reputation but are also increasingly financially damaging. The U.S. Security Exchange Commission (SEC) recently reported that the average cost of a cyber data breach is $7.5 million – a figure that will only continue to grow as businesses’ reliance on data intensifies.
Restaurants, increasingly dependent on new technologies to enhance customer experience, strengthen sales, and improve operational efficiency, have been exposed to a plethora of new security risks in recent years. However, a large share of the industry’s vulnerability can be attributed to its use of technology that is outdated or has not been properly secured. Point of Sale (POS) systems, relied upon by restaurants to process millions of credit and debit card transactions every year, are a potential goldmine for cyber criminals. In fact, customized malware allows these individuals to remain undetected as they lift credit card data from restaurants’ POS systems. By the time the targeted organization detects the issue, it’s often too late.
With their reputation as well as millions of customers’ data at risk, it is vital that restaurants remain diligent when it comes to payments processing. This means paying close attention to Payment Card Industry (PCI) standards. The standards, set and enforced by the PCI Security Standards Council, are designed to minimize risks of data breaches and are a requirement for any business that processes card data.  The requirements have been around since 2004 and have continued to change and adapt to reflect the security and cyber trends affecting companies.
Restaurants, even those outsourcing technology, payment solutions, or components of their payment activity are responsible for protecting data and adhering to PCI requirements.  Outsourcing could mean a reduction of some responsibilities, but it does not eliminate all PCI responsibilities. If tasks are not outsourced, a restaurant may be responsible for installing firewalls, ensuring POS hardware and software remains secure, and patching and updating systems. Regardless of the level of activity, all restaurants should be completing some level of self-assessment questionnaires. A full report on compliance may be necessary, depending on the requirements set forth by the card brands and the PCI Security Standards Council.
Restaurants face a specific set of a challenges when it comes to PCI compliance – for one, training employees, managing the payment transaction that employees perform, and potentially limiting employee access to bulk data. Even if transactions are sent to a third-party for processing, POS device security and employee training remains part of the restaurant’s responsibility for ensuring transactions are secure.  If restaurants are using third-party vendors to help reduce the risk of breaches and loss of data, the third-parties must show the restaurant how they are in compliance with the PCI security requirements on an annual basis. The restaurant is then required to document the annual vendor validation of the third-parties it uses.
Beyond these steps, however, restaurants must take a holistic approach to information governance to determine that sensitive data is protected across the organization. As cyber criminals become increasingly sophisticated, it is important that organizations act proactively so data is kept secure. Simply put, it is easier – not to mention much less costly – to prevent a data breach than it is to correct one.
By following the recommendations outlined below, restaurants are able to safeguard valuable information assets much more effectively. Enlisting the help of a Qualified Security Assessor will be beneficial so potential risks are identified, and PCI requirements are met.



1. Conduct Email Threat Assessments (Cyber Threat Reduction)
Given the increasing number of cyberattacks via email systems, companies are increasingly looking to conduct periodic email threat assessments, especially to detect malware that made it through their anti-virus software and firewalls which have previously gone undetected.
2. Perform Network & Endpoint Threat Assessments (Cyber Threat Reduction)
With the expansion of information systems, software applications, bring your own devices, and Internet of Things (IoT), organizations are increasingly testing their network and endpoints via threat assessments using sophisticated Intrusion Detection Systems (IDS) to reduce potential vulnerabilities to cyber-attacks.
3. Conduct Spear-Phishing Campaigns (Cyber Threat Reduction)
Due to the significant increase in spear-phishing attacks, organizations should periodically test the cyber awareness and susceptibility of their employees to cyber-attacks via engaging certified ethical hackers who can conduct social engineering-based spear-phishing exercises.
4. Perform Vulnerability Assessments & Penetration Testing (PCI Requirement)
Most organizations either internally conduct or hire an independent firm to perform some form of vulnerability assessments, via computer malware scanning software, and penetration testing to discover potential external vulnerabilities to cyber-attacks. It is important to conduct these tests at least once a year but, twice or quarterly is better given the constant evolution of cyber-attacks.
5. Implement Effective and Timely Software Patch Management Program (PCI Requirement)
The most significant cyber data breaches in the past two years all resulted from organizations not implementing an effective and timely software patch management program of Microsoft and Cisco software.
6. Establish a Cybersecurity Awareness/Education Program (PCI Requirement)
The cost-effective means to improve cybersecurity is to create a human firewall by providing quality cybersecurity educational programs for all of your employees from the top of the company to the bottom.
7. Conduct Cybersecurity Risk Assessments (Cyber Threat Reduction)
It is important to independently verify that an organization’s cybersecurity policies, plans, and
procedures are sufficient to adequately protect the organization’s digital assets and to determine regulatory compliance with the appropriate industry cybersecurity standards.
8. Implement an Incident Response (IR) Program (PCI Requirement)
It is critical that every organization has a well thought through and periodically tested incident response (IR) program, including: policies, plan, process, procedures, standard forms, and periodic exercises and/or simulations.
9. Ensure Continuous Monitoring, Detection, & Response (MDR) (PCI Requirement)
Every organization should invest in an appropriate level of MDR services based upon the cyber threats their organization encounters or anticipates. The key is to rapidly detect intrusions to quickly contain and eradicate the malware to reduce negative impacts upon the information system and data assets.
10. Invest in Business Continuity Planning/Disaster Recovery to Ensure Resilience (Cyber Threat Reduction)
Given the high probability of a cyber data breach, it is essential to have a reliable and secure off-line data back-up system for minimal impact to the organization’s operational performance, and protection of the most valuable digital assets from loss or damage.
11. Formally Conduct Due Diligence and Monitor Third-Party Vendors (PCI Requirement)
Organizations use third-parties in day-to-day activities that require a level of specialization and experience that may not exist within the organization. This is a common practice and allows the organization to focus on its core competencies. For data security and PCI compliance, the organization is responsible for due diligence and annual monitoring of those third-party vendors that may process, transmit, store OR affect the security of cardholder data. This includes all third-party vendors conducting services related to hardware, software, IT services, payment processing, alerting, patching, and more. If a third-party is performing those tasks on behalf of the organization, then they need to show the organization that they are PCI compliant on an annual basis.
To learn more about cybersecurity for businesses, visit BDO’s Cybersecurity website.  
To keep up with the latest thoughts from BDO’s Restaurant practice, please subscribe to the Selections Blog on the Selections homepage here and following us on Twitter at @BDORestaurant.