As we reported in our Data Security Whitepaper, the average data breach affects 25,000 records and costs almost $4 million. That’s 25,000 ways to lose the trust of your customers. Our webinar on restaurant cybersecurity best practices can help you avoid this costly fate. Before signing up, here is a list of questions you should ask yourself to ensure your restaurant doesn’t become another statistic:
Are my vendors storing encrypted authentication data?
It may surprise you to learn that PA-DSS requires you to render all payment information so that it is unrecoverable after your POS software authorizes the transaction – even if it is encrypted.
Am I storing more data elements than I need?
PA-DSS only allows you to store the names of the account holders, primary account numbers, expiration dates, and service codes. This does not include card verification values, CVV codes or PIN numbers.
Is my software vendor’s debugging and troubleshooting protocol PA-DSS compliant?
Sometimes sensitive authentication data needs to be stored to debug or troubleshoot system errors, but to stay PA-DSS compliant, you will need to:
- collect only enough data to solve the problem at hand
- store the data in only one location with limited access
- use the highest cryptography possible
- delete the data from log and debugging files immediately after use
- reset your system configuration
- use a secure wipe program to ensure sensitive data is unrecoverable
Is my POS system’s configuration creating unnecessary risks?
Make sure your POS software is configured to avoid capturing cardholder information during a system backup. To render a primary account number (PAN) unreadable, your software vendor will need to use one-way hashes of the entire PAN, truncation, index tokens and securely stored pads, or key management procedures with strong cryptography. If you are using one-way hash functions, make sure you will not need the original PAN, since it will not be recoverable.
PA-DSS requires you to employ just one of the above methods to avoid instances where PANs would be on full display. Remember that more is not better in this scenario, since hackers can reconstruct the original PAN more easily if you employ both hashing and truncation – just as it is easier to visualize what a completed puzzle looks like if you have more than one piece.
“For PAR, it was proving that we don’t give data away, we properly secure it, we have all the right controls in place, rotate passwords, rotate encryption keys, use MFA to connect all our remote systems, etc. It also ensures we have proper security procedures in place, teams that review everything, automated systems that maintain system security, and employees watching.”
Are my customers’ primary account numbers (PAN) unreadable outside my payment application?
Your payment application should render PAN unreadable even when sharing log files with merchants. There are several locations you will need to check to assure this happens successfully, including:
- data repository tables or files the payment application generates
- export, backup or debugging files
Am I layering encryption protocols successfully?
It may sound redundant, but make sure you are using not only data-encrypting keys, but key-encrypting keys that have the same or higher level of encryption. Use a key custodian form to ensure that anyone with access to keys understands the importance of data integrity and reporting suspicious activity. Make sure anyone with access to keys has their own identification code to make it easier to trace the source of a data breach and provide an extra layer of sign-in authentication than just using a password.
For anyone with access to encrypted keys, make sure they are aware of when the cryptoperiod ends. The PCI Security Standards Council defines a cryptoperiod as the life cycle of a key determined by algorithm strength, key length, risk of compromise, and data sensitivity. Your payment application needs to support a key replacement process to reduce the chance of unauthorized data decryption, which can lead to a data breach. Ideally, old keys should be destroyed, but if they are needed to support archived data, you will need to employ the same strong encryption you use for new keys.
What else is there to learn about protecting my customers’ data?
Much, much more! Download our Data Security Whitepaper to learn about more aspects of PA-DSS, as well as different regulatory compliance requirements like EMV and PCI DSS. We also cover SOC 1 and 2 standards, the effects of fraud, the impact of GDPR and CCPA, and other aspects of data security every restaurant needs in today’s high-tech world.
PAR’s Chief Technology Officer, Charles Wurster, will speak at Fast Casual’s Cybersecurity Best Practices Webinar on November 19, so sign up today to get more insight on how your restaurant can prepare for new and emerging cybersecurity threats.