he restaurant business is one of the few in which entrepreneurs can compete effectively against national chains. Since so many are small, level-4 merchants, they are the ISO's bread and butter - and main course, too. Yet, this very independence makes eateries a big bankcard risk for data theft. Usually more concerned with maintaining health department regulations, restaurants can be lax on their compliance with the Payment Card Industry (PCI) Data Security Standard.

Of known Visa U.S.A. bankcard data compromises occurring over the past year, 40% involved restaurants, said Martin Elliott, Visa's Vice President of Emerging Risk, during a Dec. 12 Visa webinar for restaurant merchants. Entitled "Keep Data Security on the Menu," the session covered POS system basics for securing restaurants against data theft.

And the trend is upward: Of data breach cases now open, 53% took place at restaurants, Elliott said. Nearly all are due to storage of full magnetic stripe data beyond authorization of the transaction, a violation of PCI. Full data listed on tracks 1 and 2 must not be stored. Hackers are primarily attacking brick-and-mortar merchants; processors and agents are also targets to some extent.

Ingrid Beierly, Visa's Director of Investigations and Fraud Management, who was also on the call, outlined steps to ensure the security of the POS network:

• Install a full-featured hardware firewall between the POS and other noncritical or distrusted networks, such as the Internet.
• Change all default settings and passwords on the firewall.
• Configure the firewall so that it cannot be disabled and so that it issues an alert if someone attempts to disable it.
• Implement rules on the firewall to only permit ports (for both inbound and outbound traffic) and services necessary for business purposes.
• Enable logging on the firewall, and review logs periodically.

She said hackers will abuse restaurant networks to attack POS systems if they can find access. A host that acts as a Web server should provide only Web pages, not access to that host, unless the outside user successfully authenticates. Host authentication is critical to prove that a connection being made comes from a source with legitimate access. SSH (secure shell), a program for logging into a network and executing commands from a remote machine, is an example of host authentication technology. Examples of POS hosts in a restaurant application are Aloha and Micros.

Restaurant networks that have a computer connected to the Internet should have two firewalls, Petr Darius, a Director in Visa's Emerging Risk department, told webinar participants. The first is situated between the modem that accesses the Internet and the entire restaurant network. The second firewall segments and protects the POS host and terminals from the rest of the restaurant system, where e-mail and Web access can admit malware, such as viruses and Trojan horses.

Internet protocol (IP) systems are designed with remote management (RM) features, providing back-door access to networks that permit software vendors to remotely troubleshoot and apply updates and patches, Darius said. Examples of RM systems (also known as virtual network computing, or VNC) are RealVNC, Symantec Corp.'s pcAnywhere and Microsoft's Remote Desktop.

PCI specifies methods for protecting POS networks from back-door attacks, he added. These require or recommend that merchants do the following:

• Upgrade to the latest version of the RM product or service, and ensure the latest security patches are applied.
• Configure the modem/software to provide dial-back functionality if the remote connection is via dial-up.
• Enable blocking of remote computer IP addresses after a defined number of failed log-in attempts.
• Prevent users from reconnecting to the host from the remote system after an abnormal session.
• Enable any features that prompt the host operator to confirm incoming connections.

This last recommendation means merchants should know in advance that a service call is coming from the software or system vendor.

Our next report on this Visa webinar will look at more ways to secure the network host computer and the POS from back-door attacks. It will also cover ways to defend against SQL injections, a type of malware.