Plastic peril – identity theft
Identity theft has become a serious problem for businesses that accept debit and credit card payments - making it even more important for hospitality operators to be PCI compliant. Yet, as Daniel Thomas reports, many are failing to get on top of it.
With just a week left until Christmas, consumers up and down the country will be doing some serious damage to their debit and credit cards.
Much of that will be intentional of course, but research released last week by fraud specialist CPP warned that more than 300,000 Britons will be hit by bank card criminals over the festive period.
The prediction highlights what a serious problem identity theft has become for both consumers and businesses that accept card payments.
The implications for businesses that are caught up in identity theft can be huge, as illustrated by a legal case across the Atlantic. At the end of last month, a group of US restaurants filed a class action lawsuit against point of sale (POS) software supplier Radiant Systems and its distributor Computer World, claiming hundreds of their customers had their identities stolen as a result of payment terminals that were not compliant with the Payment Card Industry Data Security Standard (PCI-DSS).
All businesses accepting credit card payments are contractually obligated to use equipment and software from PCI-DSS compliant suppliers.
The seven restaurants in Louisiana and Mississippi are seeking millions of dollars in damages from Radiant and Computer World for "poor business practices and faulty software" that, they allege, led to diners having their identities stolen.
The plaintiffs say they were "hit with huge fines", required to pay for forensic audits to trace the problems, reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to affected individuals. The suit is seeking compensation to repay the penalties levied by the credit card companies and costs to track down and repair the POS system problems.
While there has not been a similar case in the UK, yet, the lawsuit brings the issue of PCI compliance into sharp focus for hospitality operators. Under the PCI standard - a joint operation covering all the major card brands - businesses that store, process or transmit cardholder data are required to build and maintain a secure IT network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures and regularly monitor and test networks. Those companies that are found in breach of the standard run the risk of large fines and the threat of not being able to accept card payments in the future.
But while the standard has been around since 2005, very few hospitality operators are completely on top of it, according to Simon Langley, head of PCI compliance at consultancy KPMG.
"In our experience, the larger organisations in tier two - those processing more than one million transactions per annum but fewer than six million - usually have mature PCI DSS compliance programmes in place, although the majority are still not fully compliant," he says.
"For tier three merchants - those processing more than 20,000 transactions per annum but fewer than one million - many have only become aware of the standard recently, even though the first version was published in 2005. In the case of very small organisations - processing fewer than 20,000 transactions per annum - very little progress has been made," he adds.
While some experts have blamed the card companies for not publicising PCI-DSS well enough, Langley points out that information security as a general issue hasn't been high on the agenda for hospitality and retail businesses as they haven't traditionally regarded themselves as high risk.
"What has changed is that financial crime has moved from being about actual money to identity theft," he says. "This has caught customer-facing sectors on the hop."
One of the major weaknesses of hospitality operators is the poor understanding of what data they actually hold. "There was the case of the hotel booking agency that never actually processed any bookings directly so it did not work towards PCI compliance," Langley says. "But it kept manual records of card transactions in the case of no-shows, meaning it was in breach of the standard."
Another company in the sector was using an IT system that went down regularly so they kept data on paper as back-up. But they kept information that you are not allowed to keep under any circumstances, such as the three-digit security code on the back of cards - unnecessarily increasing risk.
Langley also says that the majority of organisations KPMG deals with don't keep their software patches up to date. "Fail that test and you leave yourselves open," he warns.
Outsourcing payment processing makes sense, particular for smaller operators, Langley advises. "This does not exempt them completely from the PCI DSS requirements but does mean that they substantially reduce the risk of cardholder data loss and achieving compliance is considerably easier," he says.
PCI compliance certainly isn't an issue hospitality can afford to ignore if it wants to have a happy Christmas and a prosperous New Year.
CASE STUDY: WHITBREAD AND PCI COMPLIANCE
PCI compliance was one of the main drivers for Whitbread's decision to completely overhaul its payment processing systems last year.
The company needed to streamline how its subsidiary brands - including Costa Coffee, Premier Inn and Beefeater - interfaced with its corporate banks. The banks had treated Whitbread as three separate companies rather than one and were subjecting the company to multiple fixed rates and charges.
The previous system transferred transactions directly from the outlet to the bank, meaning Whitbread had no central visibility of the transactions and limited access to transactional data such as card input method.
The company wanted to reduce costs and better understand customers to improve its marketing capabilities, which the previous system did not allow. In addition, not having access to transactional data meant any discrepancies that occurred during the reconciliation processes resulted in many wasted man hours to rectify.
The previous PDQ (Process Data Quickly) system was also slowing down service to customers as data needed to be entered into both the till and PDQ terminal.
Under the PDQ system, Whitbread would have had to invest heavily to achieve PCI compliance, while the "Swipe& Sign" technology meant that the firm and not the banks was liable for any fraud.
To streamline the payment process, Whitbread engaged Fidelity National Information Services, which provided a centralised card payment service; IBM, which provided the outlet card payment software - StorePay; Verifone, which provided the fixed and mobile chip and PIN terminals; and Smart Technology Solutions' Hostlink, which integrated the IBM StorePay software with the Verifone terminals.
The project involved deployment of a completely new, end-to-end, centralised infrastructure that unified the transaction process, allowing Whitbread to take advantage of the combined buying power across the group. The centralised software-based system allows Whitbread to use payment terminals as extensions of their existing EPoS systems.
Stephen Deakin, project manager at Whitbread Information Systems, says the move has brought about a number of benefits, including PCI compliance.
"Movement away from "Swipe & Sign" means our restaurants are no longer liable for fraudulent payments and have also benefited from an improvement on transaction rates as a result of chip and PIN," he says. "Combined with the cheaper transaction rates as a result of the group's bulk-buying power, the entire project is delivering total savings in excess of £1m per annum, as well as satisfying 90% of the necessary requirements to make Whitbread PCI compliant.
"The protection of cardholder data is extremely important at Whitbread and becoming PCI compliant allows us to trade with confidence," he adds.
