For second time in about one year, the wholesale restaurant suppler, Restaurant Depot, has suffered a breach to their credit card system.  BankInfoSecurity.com is reporting that the breach occurred between November 7 and December 5, 2012.  The number of credit cards affected and how exactly the breach occurred has not yet been disclosed.  The Restaurant Depot also owns the Jetro Cash and Carry chain and has 81 locations nationwide. The attack was not on one single location’s POS system but on the chain as a whole.

Restaurant Depot experienced their first breach right around the same time of the year in 2011.  That breach was first thought to have comprised up to one million cards.  In the end a more modest 200,000 cards were confirmed stolen.  Hackers stole the data by breaking into Restaurant Depot’s unsecured network.  According to the 2011 reports, “[The] cybercriminals placed malware onto the credit and debit card processing systems used in Restaurant Depot’s stores, and then harvested the stolen data and sent it to a server in Russia.”

This repeat breach has a lot of people wondering if the Restaurant Depot really did all they could to secure their payment systems after the first breach occurred in 2011.  The President of the company, Richard Kirschner, maintains that at the time of this second breach, their payment systems were fully compliant with the PCI DSS.  (more…)

Yet another restaurant is left reeling from the effects of a data breach.  This time, it is the Indiana-based Mexican Grill, Casa Grande.  The restaurant’s credit card system was reportedly hacked by an outside party between September and October of this year.  A manager at the restaurant speculated that around 20 people have called into the restaurant thus far with complaints of fraudulent charges on their cards.  However, there are no formal reports on how many customers have been affected or the amount that the fraudulent charges add up to.  Even though the restaurant has identified the issues and secured their cardholder data network, they still have a long road ahead of them which includes a forensic investigation, assessed fees/fines, heightened view as a security risk by card brands, regaining customer loyalty and even possible civil lawsuits.

Many merchants do not realize the effect that a breach can have on their business.  The Ponemon Institute is a leading organization that conducts independent research on privacy, data protection and information security policy, recently put out the study, “State of Cyber Security Readiness”. This study reaffirms that merchants in the United States do underestimate the effect a breach will have on their business and therefore greatly affects their level of security readiness.  In the study, they show the perception gap by comparing the views of merchants who have never been breached to the actual experiences of merchants who have been breached.  (more…)

Thanksgiving is just a couple days away and the holidays are right around the corner.  If you have not done so already, now is the time to reaffirm that your business is prepared and secure for the busy holiday season.  Black Friday is the unofficial kickoff to the holiday shopping season and is hands down the busiest shopping day of the year.  However, retailers are not the only ones preparing for the rush.

According to the National Restaurant Association, 70 percent of all Americans who go shopping on Black Friday will dine out during their shopping trip.  That comes out to be about 32 million people!

The holiday season is traditionally busy for retailers and restaurants alike.  People are out and about shopping and partaking in holiday festivities, which often results in them being too busy to cook at home so they end up eating out more frequently.

The increase in traffic at your restaurant means more customers and more revenue.  This also means more credit and debit card transactions and more sensitive data moving through your business network.  Hackers are aware of the increased traffic during the holiday season and they see it as a prime time to hack into networks and steal data.  It is very important to be certain your network and POS system are secure so that you do not become a victim of a data breach during the holiday season.

(more…)

Yet another large retailer has been breached.  This time it is the chain Barnes & Noble which is the nation’s largest retail bookseller.  It is being reported that the retailer had customer credit and debit card information stolen through PIN pad devices that are used to process payment card transactions at the checkouts.

Barnes & Noble became aware of the breach of 63 of their locations on September 14, 2012.  As a precaution they not only removed the PIN pad devices from those affected stores, but removed PIN pads from all of their nearly 700 stores.

Click here for a list of the 63 stores affected.

Initial reports are stating that hackers tampered with the PIN pad devices so that they could steal credit card data through skimming fraud.  When cards were processed for a purchase at the checkout, the sensitive card data would be transmitted to the hackers.  (more…)

Implement Strong Access Control Measures

Requirement 7 of the PCI DSS: Restrict access to cardholder data by business need-to-know

One of the most important practices to minimizing your risk at the merchant level is to limit access to system components and cardholder data.  Only those individuals whose jobs require such access should be given credentials. Requirement 7.1 reiterates precisely that and following this requirement is crucial to achieving and maintaining PCI compliance.

The “principle of least privilege” is a very important security practice and should be followed at all times.  This principle refers to providing employees with access to only the specific devices and/or data that is necessary and not allowing any unnecessary access beyond that.  If an employee does not have any significant reason to have access to certain rooms, devices or data, then that employee should not be given access.  The more employees that have access to sensitive information like cardholder data means there are that many more pathways to your data and therefore increases your risk of that information being used in a malicious manner.

Requirement 7.1.2 takes limiting privileges to employees even further and states:

Assignment of privileges is based on individual personnel’s job classification and function.

Assigning user access controls based on an employee’s job classification and function is known as role-based access control. If you hire an employee to do maintenance tasks such as clean the parking lot, fix external structures and landscaping, should you be granting this employee access rights to the cardholder environment at your store?  Hopefully your answer is no! (more…)