Protecting customer data at restaurants

By Kavita Sabharwal-Chomiuk

By now, everyone has heard of the data breach at credit bureau Equifax, which only impacted about 8,000 Canadians, but was estimated to have effected over 145 million American customers, according to an Oct. 2 article from CBC.

Lesser known, however, are the data breaches that have hit restaurants, and there have been several, especially in the United States: Chipotle, Wendy’s, Sonic, Zaxby’s, Shoney’s, plus 12 of the 13 restaurants under the Select Restaurants umbrella have all had customer data stolen in recent months. More and more, hackers are targeting restaurant data systems and your customers’ data security may be at risk. Find out some ways to safeguard your data, and avoid this happening to you.

To start, use a program that does not save or manage customer data. For example, TouchBistro, a top-ranked iPad POS software, does not store credit card information or data that can be compromised.

“When we swipe a card, tap, or use the pin, the information is exchanged securely and directly with the credit card processor,” explains Alex Barrotti, CEO of TouchBistro. “All we ever get back is a simple ‘declined’ message or an authorization number. We don’t have the ability to store any personal or confidential information, which makes us PCI (Payment Card Industry) compliant. We don’t even see that information.”

Although restaurateurs may want to have the inside track on what their customers are doing to send them targeted marketing messages, for example, TouchBistro has a solution. As of Oct. 16, the company’s customers have the option of employing loyalty software ReUp Loyalty to analyze customer information and remove the possibility of human error from the equation. Barrotti notes that one of the biggest requests from prospective clients is to be able to offer loyalty solutions to their customers.

“Previously, TouchBistro had a slew of NPI (non-personally-identifiable) data. It doesn’t know which purchase can tie back to which identity. We’re trying to give merchants that information so they can understand their customers’ spending habits and use it to target them, helping to build better relationships,” says Asim Shahjahan, CEO of ReUp Loyalty. “On the data security side with PID (personally-identifiable data), we use the most up-to-date security metrics out there. Data is encrypted. We only ask that our customers make sure they’re using all available updates and security updates on their software. Keeping up-to-date on patches is a big part of what we do to make sure we don’t run into those situations. Plus, we make sure we don’t have any real PID information. We don’t get the customers to give us anything that would compromise their identity.”

TouchBistro has safeguards in place, as well, to ensure customer information remains secure. Barrotti explains that every eight weeks or so, the company strives to release new versions of the software, sometimes featuring minor fixes and other times major features, including the launch of the loyalty program.

The system’s security is another draw, as the data is not available to all restaurant workers, but is secured in ReUp’s database, only accessible if logging into TouchBistro’s loyalty portal. This limited accessibility helps protect data from falling into the wrong hands.

“Everything is stored in our servers,” explains Shahjahan. “It’s meant to be an administrative tool, which is why it’s not available in the TouchBistro app itself.”

Shahjahan explains that ReUp stores customer loyalty information in perpetuity, but the type of data that is being stored is not what most people consider sensitive data, and they never store credit card information and Social Insurance Numbers, for example.

Barrotti suggests protecting yourself when it comes to avoiding a data breach of your own. He recommends that if your restaurant is using an older, legacy POS system, review whether it is compliant.

“Years ago, there was no PCI compliance. People could store credit card numbers and they thought it was convenient, but now it’s a violation of PCI protocol,” he says. “A lot of the systems out there should be revisited and you should ask, can I bring this system up to date? Are there patches or software fixes that can address these issues, or do I have to change the system altogether, and then take steps accordingly. No one wants what happened to Equifax to happen to them. The older systems don’t have that protection. It may be a good time to upgrade, if that’s the case. You want to have a modern solution that does not put you at risk of breaching your customers’ data.”

Shahjahan attributes the breaches, at least partially, to human error. “The big thing that people worry about is whether tech is failing. [Equifax was] using an outdated piece of tech that had a known security vulnerability and they didn’t take the opportunity to patch the hole. Someone on the software side didn’t upgrade security software. What we’ve put in place for ReUp is software updates that are already up-to-date,” he explains. “We’re constantly updating our libraries making sure our security is always covered. We have to figure out where there are holes and gaps and get ahead of it. It’s all about cheques and balances at the end of the day.”

Overall, Shahjahan is optimistic about the state of data in the future. “Data is taking over the world. Everything is becoming more data-driven. Tech is more about how to make things smaller, connecting things and people. The only way you can connect is by the exchange of data,” he says. “Although it can be scary, and you hear about things like the Equifax data breach happening, data might not be totally safe yet. But I think the future is going to be data-based, and I think it’s going to be a really exciting time.”