By Ethan Gibble
A while back I wrote about the restaurant benefits of the swipe fee reform and now, a few months later, I want to bring debit card and credit card transactions in restaurants back into focus. The swipe fee reform has been passed so that, beginning October 1st, the swipe rate ceiling will be 21 cents per transaction--much less than the previous 44 cents per transaction, but more than the proposed 12 cents per transaction. Is that a win or a loss for foodservice and other trade association executives?
That likely depends on whether your glass is half empty or half full. I've come across two articles over the past week or so, however, that have everyone's glasses toppled over with water dripping to the floor.
First, an article published at bankinfosecurity.com covered a security breach that rendered hundreds of consumers' accounts vulnerable. 200+ people reported fraudulent debit and credit transactions being applied to their account after dining at a small Texas eatery, but it wasn't the restaurant at fault--it was a third party breach.
Adhering to Payment Card Industry Data Security Standard is the best way to ensure the protection of cardholders' information but, the article says, auditors will sometimes be lenient if a merchant acquirer is putting forth genuine effort to become PCI Compliant. "Compliance does not always mean compliant," said Jerry Silva, founder and financial-services technology strategist for PG Silva Consulting.
But for Neal O'Farrell, founder of the Identity Theft Council, skimming--when first party restaurant employees, like waiters or waitresses, steal credit card information used in an otherwise legitimate transaction--at restaurants is a much greater concern. "Skimming at restaurants is almost impossible to prevent," O'Farrell said. "Most restaurants are small businesses and typically don't have the resources to focus as much as they should on security."
"They are notorious for high staff turnover and for not conducting criminal background checks, which makes them exceptionally vulnerable to insiders," he said. "And without effective security, they're usually the last to know about a breach. Most restaurants find out they've been breached only after complaints by their customers or notifications from their card processors."
That ended up being a stroke of prophetic genius by O'Farrell, as today I came across this article on WTSP.com about a waitress ripping off customers with a credit card skimmer. The waitress, Kathryn Shana'e Perez, was responsible for thousands of dollars worth of fraudulent transactions. The victims? They were targeted after they, "...ran her around, made her work real hard," according to local detective John Suess.
How dare they.
A Cliffnotes version of what we learned today, for those of you keeping track:
- On October 1st, swipe fee reprieve is coming at a lesser degree than originally hoped for.
- Processor and transaction acquirer security is not infallible.
- If you don't already have a meticulous hiring process, you may want to incorporate one. Or at least pay in cash when being waited on by Kathryn Shana'e Perez.