Endless news reports about cyber security have covered the risks of credit card information ending up in the wrong hands. But customer loyalty programs, popular at many restaurants, can be targeted by cyber thieves as well. Those points might not be valuable to a stranger, but data connected to loyalty cards could be.
What exactly are the risks, and how can they be minimized? Maurice Liddell, BDO USA’s national service leader for IT security and infrastructure, and Randy Coomes, senior director of risk advisory services for the company, shared some weak spots:
1. Hijacked credit card numbers and checking accounts associated with the loyalty card. Starbucks’ stored value cards and mobile payment app certainly are handy ways to pay for coffee and rack up award points. But the auto-reload feature can be hacked, as a number of Starbucks card users discovered earlier this year when their cards were hijacked and their credit cards charged by outsiders.
2. Theft of personal identity information. Guest loyalty program applications sometimes collect sensitive data, such as a driver’s license or Social Security number. By now, business owners should be aware that Social Security information is off limits, but if that information is ever compromised, Liddell says the disclosure requirements are similar to when a credit card number gets lifted—in other words, a pain.
3. Third-party providers that drop the ball. Smaller restaurants often rely on outside firms to help administer loyalty programs, which opens up another opportunity for compromised data. “Now you have that personal and credit card information being transmitted from one company to another,” Coomes says. “Depending on the third party, often they will encrypt the information, but that may not always be the case, so that exposes the restaurant even further,” he adds.
Operators have a number of strategies to reduce their exposure.
“Don’t be the easy target,” Liddell says. So-called “script kiddies” are out there looking to stir up some mischief with vulnerable systems. You can avoid being a victim by securing your perimeter and having an updated and secure firewall.
If you’re not sure whether your business is secure, hire an expert to do a vulnerability assessment. That’s a smart, affordable investment in some peace of mind, Liddell adds.
Staff training is also key, Coomes argues. Servers and bartenders should be handling loyalty cards the way they would credit cards.
When it comes to data storage, “keep only what you absolutely need, and don’t’ ever store credit card numbers,” Liddell says. If you do connect a credit card with a loyalty program a la Starbucks, invest in a tokenization system to protect the information. Tokenization provides “a secure way to do this where there isn’t a credit card tied to the card. Instead, it’s a token. When the card is used, it can only be used for one purpose,” says Liddell. “Without tokenization, it can be very impactful.” Smaller operators are often more exposed, mainly because they frequently lack the internal resources and knowledge to protect themselves, he adds.
Be careful who you hire to establish your loyalty program infrastructure. “A lot of times restaurant owners ‘know someone’ who can set up their system and get it going, but they don’t necessarily do it right and they don’t understand the risk associated with it,” Coomes says.