Security
September 28, 2011 | 
Author 
Posted in 
Have you ever had to fire someone for stealing?
Have you ever had to fire someone for stealing? That could be a loaded question. If you’re a restaurant operator, you’ve probably had to let people go for taking advantage of the business on more than one occasion, and you’ve probably wondered about many other employees. Or maybe you had a pretty good sense something wrong was happening, but you had no concrete proof. You have to walk a fine line – you don’t want people to walk all over you because you’re too trusting, but you don’t want to assume every server is out to get you, either.
You may be familiar with these 4 common server scams:
- Comp after close – The server re-opens the check & comps some or all of the items, putting the cash in his pocket.
- Comp after print – After the table pays the printed amount on the receipt with cash, the server comps some or all of the items, keeping the difference.
- Over tipping – Putting in an amount that is higher than was written on the receipt.
- Transfer/wagon wheel – Self-service items are entered in when the first table orders them, and then they are transferred between guest checks instead of being rung in each time. The server pockets the cash for the item on each table.
Unfortunately, these scams are only a few of the ways employees have found to steal from restaurants. As an operator, you know it may be happening. You want to believe that your employees are trustworthy, but you have to aware of these scams that have become too common in the restaurant industry.
Is there a common scam we may have missed? Which self-service items do you think get taken advantage of the most?
Read about how Aloha Restaurant Guard helps you identify servers who may be involved in these scams and many more.
Radiant Security Systems Webinar Still Available
Chuck Magee from Radiant Systems : Radiant Security Services webinars. We just finished our webinars. But if you missed them , please contact Sherry to schedule one for you.
sherry.harris@becpos.com
HOW TO ADMINISTER & MAINTAIN A PCI COMPLIANT POS SYSTEM & ENVIRONMENT
As a business owner who has been around 30+ years, I take data security seriously. We have accepted our share of counterfeit checks, traveler’s checks as well as stolen credit cards. I have experienced having my personal credit card as well as employee business credit cards stolen.
It is my responsibility as a business owner to keep informed on changes that directly impact my business. BEC processes a number of credit card transactions each month and we make every effort to keep the card data secure in the same manner we keep other confidential accounting records safe.
Along with installation of security cameras, employee background checks, a dual authentication product for remote customer support etc., we contract with a 3rd party IT company who not only manages our internal network and hardware firewall, but keeps all our software up to date with the latest security patches.
As a member of RSPA (Retail Solutions Providers Association www.gorspa.org), our business takes advantage of courses and certifications offered by them. RSPA has recently introduced a PCIwise course specifically for vendors and merchants. The intensive course describes 12 best practices that business owners can adopt to educate them on new and/or updated regulations involving PCI compliancy.
BEC in conjunction with RSPA is offering the course HOW TO ADMINISTER & MAINTAIN A PCI COMPLIANT POS SYSTEM & ENVIRONMENT. This no charge 45 minute course will answer a lot of questions you as a merchant have. Click on the link, Complete the New User Section, Go to LogIn section and enter your email and password. If you have any questions, please contact me at 303-623-1143 x 1002 or audrey@becpos.com
Six Signs That Employees Are Stealing: How to Identify Restaurant Employee Theft
By Dan Cosgrove
If you are a restaurant business owner or manager, be assured of one thing: employees are stealing from you.
The National Restaurant Association estimates that internal theft from employees is responsible for 75% of inventory shortages, about four percent of total restaurant sales. Three quarters of employees steal from the workplace at least once and half steal repeatedly. Why? Because no one catches them.
Many owners and managers ignore the signs because they want to believe all their employees are honest. But the longer you let dishonest employees get away with it, the more widespread the employee theft problem will become.
Here are Six Signs of Employee Theft:
- Have Pour and Food Costs suddenly gone up? These are determined by comparing how much you’re purchasing with how much you’re selling. (They’re a valuable tool to identify employee theft; but only as good as your recordkeeping. You must log all food and drinks, purchased or not, to make your calculations valid.) If costs suddenly go up, detailed records may point to a specific event such as a new bartender, kitchen worker or server’s arrival. (If they go down, check to see who might be on vacation!)
- Is the cash register over or under on a regular basis? This is a sign that an employee has put money in the till without ringing up the order and has forgotten or miscalculated exactly what to skim from the register at the end of the shift.
- Do employee tips add up? When employees give away food or drinks, they often get generous tips based on the value. Revive the old tradition of making random “Till and Tip” checks. Without warning, ask servers to count their tip money in your presence. Compare their totals to the register readings. If tips are 5%, 10%, 15 %, terrific. But 30%, 40% and 50% tips should set off alarm bells.
- Are customers or employees telling you someone is stealing? They may notice things you can’t. Take their comments to heart. Investigate fully. Maybe they’re mistaken, but don’t count on it.
- Do regular customers complain that prices are too expensive or inconsistent? Dishonest employees may overcharge customers and pocket the difference. You won’t see costs rise but customers will see an increase in prices. Regular customers may notice if they are being charged different prices.
- Is there something about an employee that just doesn’t feel right? Maybe it’s a lifestyle that seems well beyond their means. Maybe they are just too eager to work the shifts that no one else wants to take. Whatever it is, trust your instincts.
If you know you have a problem, hire a Private Investigator who specializes in mystery shopping and/or surveillance. Flying under the radar, trained agents can visit your restaurant or bar to observe and record how servers are handling and recording cash transactions. They also can position themselves to observe what employees are taking out the back door. If employee theft is observed, a trained investigator can confront those involved, and nine out of ten times, get a confession.
Taking Credit Card Security Seriously
The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I’m talking about lying and praying.
In 2004 the major credit card companies got together to define a common Payment Card Industry Data Security Standard (PCI DSS, often referred to as just PCI). They are gradually ratcheting up the pressure on merchants of all sizes to comply. Large companies, and some smaller ones that process a large volume of transactions (particularly if they’re doing it on the Web), are required to have an independent review of their processes and systems by a security professional credentialed as a qualified security assessor (QSA). Most small businesses can instead complete a self-assessment questionnaire, where they essentially grade themselves. That’s where the lying comes in. It’s not so hard to check off all the right answers (“Sure, I review my e-commerce server logs on a daily basis.”) without actually making them true.
If you’re lying, you had better also be praying. If caught, you could be fined for non-compliance, to the tune of tens or hundreds of thousands of dollars–enough to put many a small organization out of business. Expect even harsher treatment if someone hacks your systems and downloads card data you claimed you weren’t even storing.
Most of the requirements are basic security, like making sure there is a firewall between your Internet connection and any system that stores credit card numbers. Factory default passwords on your network equipment must be changed, so that no one can log on as user “admin,” password “admin.” And so on. More specifically, you’re responsible for protecting card holder data, and there’s some data you’re never supposed to store–like the full contents of a card’s magnetic strip.
Many small businesses are still under the impression that the rules don’t apply to them because they’re too small, or because they don’t conduct e-commerce. Actually, the rules apply to any business–and even any nonprofit–that takes credit card payments. You can look for ways to lighten the compliance burden, but you can’t get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you’re still supposed to be locking down your systems.
Some businesses complain this all sounds too complicated and expensive. But they are missing the point, says Anton Chuvakin, author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. The PCI rules really represent the minimum security standards businesses must meet to be fair to their customers, who, after all, are trusting the merchant every time they hand over a credit card number. In the wake of a card security breach, a larger business might suffer from the fines, damages and adverse publicity resulting from a card security breach. By contrast, “a small business is more likely to be GONE,” Chuvakin said. “Businesses that endanger their customers really do deserve to die.”
If your organization is not equipped to handle credit card data securely, maybe you should not be handling it at all. Look for ways to shift as much of the burden as possible onto a service provider that specializes in secure payment processing. Services such as PayPal and Authorize.net let you forward customers to their websites for payment processing; credit card numbers never pass through your hands at all.
Small businesses such as restaurants that use an older generation of countertop credit card terminals may be breaking the rules inadvertently because the device stores magnetic stripe data or otherwise violates the PCI requirements. So consider upgrading to a payment device that is certified PCI compliant. Basic terminals capable of encrypting Personal Identification Number (PIN) codes and protecting other sensitive information are available for as little as $100 and might even be offered free by merchant account services trying to win your business. The PCI Security Standards Council publishes a list of approved devices. Just remember that using a compliant device is only one element of making your business compliant.
Even if you’re not storing anything explicitly prohibited, you may be storing more credit card data than you need to. Small merchants typically store a day’s worth of credit card numbers on a card swipe terminal, then process all the transactions in a batch at the end of the day. Bigger retailers may record the card numbers in a centralized database so they can track all a customer’s purchases, and so they can retrieve the number if they need to issue a refund. But do you need to retain those numbers at all?
Late Friday, McDonald’s sent an email to customers notifying them of the hacking
The personal data of McDonald’s customers — including emails and phone numbers — has been “obtained by an unauthorized third party,” the chain has told its most loyal burger fans.
Late Friday, McDonald’s sent an email to customers notifying them of the hacking, and warned them to be cautious of any person claiming to be from “McDonald’s asking for personal or financial information.”
Arc Worldwide, a long-time business partner of McDonald’s, told the chain that information it collects in connection with certain McDonald’s websites and promotions was obtained by an unauthorized third party.
“Unfortunately, a third party was able to defeat the security measures put in place by the email database management firm to protect the information you provided to us,” McDonald’s stated on its website.
The data collected includes “information required to confirm your age, a method to contact you (such as name, mobile phone number, and postal address and/or email address), and other general preference information,” McDonald’s said.
McDonald’s declined to say Sunday how many people were impacted by the hacking. Likely thousands received the email, as it’s common for fans to sign-up for special email promotions via the chain’s website. The websites where customers entered data include: McDonalds.com, 365Black.com, McDonalds.ca, mcdonaldsmom.com, mcdlive.com, monopoly.com, playatmcd.com, or meencanta.com.
In a statement to the media, McDonald’s said:
“It is important to note that the information in the database did not include Social Security Numbers, credit card numbers, or any sensitive financial information. The incident has resulted in an investigation by law enforcement authorities. Arc and McDonald’s are cooperating with the appropriate authorities as we work to protect our valued customers.
We are also working with Arc and their database management firm to understand how the security was bypassed. We take the security of our customer information very seriously, and we will continue to cooperate with the investigation and with the appropriate authorities.”
McDonald’s asked customers to call this number to report any suspicious contact from anyone pretending to represent the chain: 800-244-6227.
McDonald’s customer data compromised
If you previously elected to submit information to McDonald’s in connection with one of their websites or promotions, there is a possibility that information you provided was improperly accessed by an unauthorized third party.
Law enforcement officials are investigating the incident where an email service provider selected to coordinate McDonald’s promotional e-mails has had its computer systems compromised.
McDonald’s does not collect sensitive financial information, such as Social Security Numbers or credit card numbers on-line or through email. As such, the information improperly accessed did not include this type of information.
Rather, the information provided to McDonald’s included information required to contact users (such as name, mobile phone number, and postal address and/or e-mail address), and other general preference information.
In the event that you are contacted by someone claiming to be from McDonald’s asking for personal or financial information, do not respond. Remember, McDonald’s would not ask for that type of information online or through email.
by Helpnet Security
Don’t Give Criminals an Unintentional Gift This Holiday Season
Dana Hawker, Senior Manager, Data Security and Compliance
It’s a well-known fact that the holiday season is the favorite time of year for criminals. Business owners and managers should make sure that they are staying alert and are encouraging their employees to protect their merchandise as well as protect their consumers’ credit card data. The following are a few simple measures that security experts suggest businesses take to minimize data security risks during the holiday season.
Screen, monitor and train all temporary workers
Most businesses bring on temporary workers to help during the busy holiday shopping season. If these temporary workers have access to customer data, BE CAREFUL and follow these tips for protecting your business:
- Make the extra investment to conduct thorough background checks of all temporary employees.
- Set up the proper access controls for your temporary workers so that they only have access to what is necessary for them to perform their jobs.
- Ensure that both your temporary and permanent employees are educated on all the signs of fraud. This helps add another layer of security during this heightened period of risk.
Monitor the use of satellite point of sale systems and scanning devices
Many businesses increase their use of handheld scanners and satellite point of sale systems for line-busting during the holidays. Make sure that you have built physical security around these devices to prevent tampering. Without monitoring, criminals can easily install a card-skimming device that is not a part of normal business operations on these additional devices.
Assign individuals to perform spot checks on transactions and review data logs daily
Reviewing your system and transaction logs can help you catch any abnormalities in the security of your data at any point in time. Check them daily for any issues to proactively address anything out of the ordinary and minimize your risk of data loss.
Continue to implement patches to operating systems and point of sale systems
Many companies “lock down” their systems during the busy holiday season and avoid making any changes to the network and their systems. Criminals know this and will not hesitate to try to exploit any known vulnerabilities in operating systems that have not been patched. Continue to perform a risk-based evaluation of new threats and be open to deploying security updates during the holiday season.
Bottom line
Don’t make the mistake of ignoring the security of operations and consumer data during the hectic holiday season. Criminals know that this is the perfect time of year to steal data due to the high volume of transactions. You can’t afford to overlook any security precautions…if you do…you’ll risk losing much more than just sales volume.
Tags: Guess What? Your Payment Application is Not the Only Thing Criminals Care About
Processing credit cards is vital to efficiently running your restaurant or retail business, and that includes doing everything possible to protect the data being transferred over the Internet. However, criminal attacks are getting more and more advanced and the likelihood that restaurants and other small business establishments will fall victim to cybercriminals is increasing.
Large data breaches receiving national news coverage are happening at restaurants, major clothing retailers, sporting goods stores and grocery chains. Although most of the recent push has been to ensure you are running a PA-DSS validated payment application, most of the current criminal threats are not targeted specifically at your POS. Criminals that gain access to the networks in stores and restaurants are now able to attack such sites even if they have the most up-to-date point-of-sale systems on the market.
The data that the criminals want is not the data that you see on the front of your credit card. This visible data is known as the Primary Account Number (PAN) and is of little use to cybercriminals. They want the full track data that is embedded on the magnetic stripe on the back of the card and contains much more information and will allow them to create counterfeit cards.
Ever since the PCI Security Standards Council implemented the Payment Application Data Security Standard (PA-DSS), payment applications are not allowed to store full track data. That is why all merchants who process or transmit credit card data are required to use PA-DSS validated payment applications. If you are using a PA-DSS validated version that was upgraded or implemented according to secure implementation standards, the criminals are not targeting the data stored in your payment application. In most cases when a breach occurs for a customer that is using a PA-DSS validated payment application, the payment application software itself has not been breached.
Instead, the criminals are targeting holes in your overall payment environment. If your perimeter is not secure with protective measures such as a firewall, updated antivirus, and secure remote access, they’re going to get in. And when they get in, they’re going to install crimeware. This crimeware can then be used to steal full track data in many ways. It can extract the data from the Windows OS as it is being sent to the bank for processing. It can also mimic keyboard strokes to steal authentication credentials. In these crimeware scenarios and others as well, the criminals are not getting the full track data they want from the payment application.
So, how do you keep them out? You definitely need to have a PA-DSS validated payment application to eliminate the low hanging fruit. After that, you need to secure your perimeter. If there are no holes in the wall around your payment environment, the criminals will not be able to get in.
We’re all in this together. The only people doing anything wrong are the criminals. What they do and how they do it is changing very rapidly. We need to fight them by educating ourselves, recognizing that a PA-DSS validated payment application by itself will not protect you, following security best practices, and by making sure our perimeter defenses are as strong as they can be.
Dana Hawker, Senior Manager, Data Security and Compliance
Radiant Systems