by: Kimberly Radka
On October 1, 2015 things changed on how the consumer uses a credit card. Instead of swiping, we now insert the card so the microchip can be read for security. This helps everyone have a secure transaction.
That was not the only thing that changed. If a restaurant continues to use the swipe method, they will not hold the liability on fraudulent transactions. Prior to this, the issuing bank would pay for any fraudulent charges. If you use the chip method, the bank still carries the liability. There is of course a cost with upgrading every POS device to accept a microchip. Each business owner will have to weight the risk and make a decision on how to proceed.
The risk associated with credit card fraud is only one of the cyber risks associated with restaurants. This great article lists the following Best Practices to minimize your risk:
Use Strong Passwords: It is highly recommended that business owners change passwords to their
POS systems on a regular basis, using unique account names, complex passwords and deploy multi-factor authentication (MFA).
Update POS Software Applications: Ensure that POS software applications are using the latest updated software applications and software application patches.
Install Firewalls: Employ firewalls on web applications to prevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses, worms, or other types of malware specifically designed to compromise a POS system.
Use and Update Antivirus Programs: Regularly update antivirus programs to maintain their effectiveness.
Restrict Access to Internet: Restrict access to POS system computers or restrict terminals to POS-related activities only to prevent users from accidentally exposing the POS system to security threats on the internet.
Disallow Remote Access: Cyber criminals can exploit remote access configurations on POS systems to gain access to these networks. To prevent unauthorized access, disallow remote access to the POS network at all times.
Train Employees: Provide employees with dynamic information security and privacy awareness training, including anti-phishing and social engineering exercises. Employees are the first line of defense and should also be given the ability to quickly report potential issues, activities, circumstances or concerns with ease, such as reporting that an extortion demand was made, without fear, reprimand or retribution.
Incident Response Planning: The primary objective of an incident response plan is to provide a framework to manage a cybersecurity incident, which limits damage, increases the confidence of external stakeholders, and reduces response costs and recovery time. The incident response team (IRT) should practice the plan regularly with table top exercises based on different scenarios.
Thanks for reading.