The 2014 and 16th edition of the Hospitality Technology magazine Restaurant Technology Study has produced an 18 page report.
Of specific interest to me was Chapter 5 Payment Security – “End of Swipe-and-Sign Looms”, the chapter states:-
The U.S. payment industry is in a period of transition. October 2015 will mark the end of swipe-and-sign. While card brands are committed to swapping mag-strip for EMV chip-based cards, the standard for authentication remains under debate: signature capture or PIN. While PIN authentication is considered the more secure option, there’s concern that Americans, who tend to have a variety of credit cards, would struggle to manage multiple PINs.
As the restaurant industry, and U.S. merchants at large, take a wait-and-see approach, HT (Hospitality Technology) measures the industry’s current and planned payment security practices in its 2014 Restaurant Technology Study.
The food service industry, with its fragmented technology, has historically been a target for card data theft. The sunset for swipe cards will be a welcome improvement. EMV preparedness is on restaurants’ radar, with 70% of those surveyed agreeing that it is important to have a well-defined roadmap for EMV preparedness.
When asked about their organization’s current approach to preparing for EMV
- 26% report having some form of road-map in place; likely due to the lack of a standard
- 37% will make this a priority in the year ahead.
What’s more, confusion with the current PCI DSS remains:-
- 86% reporting that their organizations are “in compliance” but far fewer are able to identify compliance with some of the 12 specific requirements
- 72% report that their organization maintains a policy that addresses information security for employees and contractors (item 12 of the PCI DSS).
With payment security an on going process and a moving target, restaurants are leveraging third parties for assistance. More than half of those surveyed outsource their PCI compliance efforts (54%), and nearly as many (52%) have purchased some form of breach protection or insurance.
Respondents were further asked about their organizations’ use of tokenization and point-to-point encryption (P2PE). Though not a requirement of PCI DSS, these technologies can reduce scope by shrinking the footprint where cardholder data is located throughout the organization.
- 43% use P2PE and 33% plan to add the technology by 2016
- 36% use Tokenization and an additional 30% have future implementation plans
The full report can be found here..