Keeping your restaurant & hospitality Cardholder Data Environment safe

Marvin Sandoval, Sales Associate

Reports of new credit card data breaches seem to be in the news daily.  Recent high profile breaches within major retailers this year should serve as a wake-up call to the restaurant and hospitality industries.  As a result of having high volumes of credit card transactions and decentralized security practices, criminal organizations have put the restaurant and hospitality industry squarely in their sights.  The track data used in U.S magnetic-Stripe cards are still among the most valuable commodities on the black market as it allows criminal organizations to clone cards and quickly exploit them for highest possible financial gain.

For the restaurant and hospitality industries, there are a couple of key questions you might want to ask yourself:

  • First, are we already compromised? As investigations have shown, sensitive data could have been leaked for months before the compromise is actually caught.  

  • Second, are we doing everything we can to keep from being compromised? The Payment Card Industry Data Security Standard (PCI DSS) is a great baseline, but taking a few extra steps to be secure is what the current climate requires.

Achieving PCI DSS Compliance is not a guarantee that your organization is secure.  To minimize risk and decrease your organization’s exposure to cardholder data compromise, Coalfire suggests, at a minimum, that merchants within the restaurant and hospitality industry take the following measures:

  1. Understand the True Scope and Extent of your Cardholder Data Environment.  If you mischaracterize or misunderstand how and where cardholder data traverses your environment, then your PCI DSS compliance program may be missing the mark.

  2. Minimize the Amount of Sensitive Data in Your Environment!  Is your organization up to speed on new payment technologies such as tokenization, Point-to-Point Encryption and EMV acceptance?  These techs can help reduce overall risk and even lower the impact of PCI DSS compliance maintenance.  Make sure your trusted security partner is ready to help you with these. 

  3. Adhere to the Principle of Defense in Depth.  A potential attacker may have the time and resources to circumvent one or two security controls; however, a strong security program with multiple layers of security can help prevent attackers from exploiting sensitive information from your systems. 

  4. Physical Security and Awareness Training.  As merchants payment systems become “more secure” in the coming years, we’ll see an increase in physical security attacks within retail environments.  Are you prepared?  What about your employees? Many QSA firms that offer “social engineering” as part of their penetration testing services can help you address these concerns.

  5. Don’t Get Left Behind!  Your peers and competitors are rapidly adopting new payment technologies and security programs to ensure they do not become the next headline.  What happens to the companies that are left behind?  They become the primary target of criminal organizations. Avoid becoming criminals’ “low hanging fruit” by working with your QSA to put new security measures in place.  Don't let your organization become “low-hanging” fruit for wrongdoers!

The security threat to the restaurant and hospitality industries is real.  For the sake of your customers, employees and shareholders, it is time to stay ahead of the cyber criminals and keep your name out the news.  

Marvin Sandoval


Marvin Sandoval — Sales Associate

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS