spike in data security compromises at restaurants due to improper POS installation prompted Visa U.S.A. to issue a data security alert in July. The card Association also issued a reminder of ways merchants can protect themselves against lapses.

The alert came eight days after the Department of Justice announced the arrest of most of the participants in a debit card theft ring operating in three restaurants in Los Angeles. That ring allegedly used "skimmers" to obtain account data on upward of 100 patrons.

Yet Visa's alert emphasized the proper installation and use of POS equipment and systems. "We've observed over the last several months a number of small to medium-sized restaurants that have had compromises for a variety of factors linked to ... [reliance] on third-party firms to implement POS systems," said Martin Elliott, Visa's Vice President for Emerging Risk.

FBI Special Agent Julia Jolie, who tracks cyber crime and identity theft, said she was not aware of any recent cases concerning restaurant POS system breaches.

Integrators, resellers and other third-party installers vary in their ability to properly configure common security controls and may leave behind vulnerable POS systems, Visa reported.

The card Association has received reports from merchants and "the market" in recent months about such problems at restaurants nationwide, Elliott said.

"Recognizing that you hire someone to implement precautions doesn't mean all the things you expect to happen [will] happen," he said.

Elliott firmly believes it is a "shared responsibility" among payments-application developers; resellers/integrators, who should make sure their POS systems don't store data; and merchants, who should ask vendors when their systems will make the Visa Payment Application Best Practices list of compliant applications, if they haven't already.

Elliott said system vulnerability may lead to two types of data compromise: internal, such as employees with inappropriate access to credit card data, or security holes that leave open back doors for hackers to exploit.

In the latter, a third-party installer may fail to install a firewall or to segregate an Internet-based POS system from other Internet applications on the same computer.

"If your waiters log on to the Internet to surf the Web and you don't have segregation, you may have employees downloading Trojans and viruses that may be used to compromise your system," Elliott said.

Merchants should ask their processors or ISOs if they use a default password with all their restaurant merchants, because the common password could leave their systems open to intruders from other restaurants, known as a one-to-many attack, he said.

"If there is one theme that is most helpful to the merchant and ISO community, it is to make sure your payment applications are not inadvertently storing track data," Elliott said. "Your employees with access may find that data, download it and away they go. If I'm an ISO, I may want to drop in and say, 'Let's make sure your system isn't storing that data.'"