Keep your data safe in a third-party vendor world

Operators rely on third-party vendors to keep their restaurant and foodservice businesses running smoothly. 

Whether providing necessary supplies and services, like food and packaging products, or payments and IT services, third-party vendors are crucial to the effective running of restaurants. But, because they’re privy to sensitive information and data, they can represent considerable cybersecurity risks as well. 

According to iFlock Security Consulting, every vendor represents a potential entry point for cyber threats. Because third-party vendors often have access to sensitive information, like product specifications, customer data, and proprietary processes, data could be exposed, causing significant financial and reputational damage to your restaurant if their systems are compromised. The company offers key strategies to mitigate the risks.

1. Conduct vendor due diligence. Evaluate your vendor’s security policies, practices, and compliance with industry standards. Ensure they have robust measures in place to protect the data and systems they will have access to.
2. Define your cybersecurity expectations in the vendor contract. Include specific security requirements, such as regular security audits, data encryption standards, and incident reporting protocols. The contract should also require regular assessment of vendor cybersecurity practices.
3. Monitor your vendors on a regular basis. This is critical. Conduct regular audits and assessments to ensure they maintain required security standards. Review their security policies, perform penetration testing, and evaluate their response to previous incidents.
4. Limit vendor access to your systems and data. Vendors should only have access to information and systems necessary to their roles. Regularly review and update access controls to prevent unauthorized access.
5. Establish clear incident response procedures. In the event of a cybersecurity incident, work with your vendor to contain the threat and minimize damage. Ensure your incident response plans are aligned and that communication channels are established.
6. Implement a third-party risk management framework. Include risk assessments, ongoing monitoring, and incident response. Integrate it into your overall cybersecurity strategy to ensure vendor risks are managed as part of your broader security efforts.
7. Obtain cybersecurity insurance. Ensure your vendors carry adequate insurance coverage to mitigate financial impacts of cybersecurity incidents.

When it comes to payment processing security, it’s essential you protect sensitive cardholder data from falling into the hands of fraudsters and thieves. Heartland Payment Systems reports that every business choosing to accept credit cards as payment is responsible for signing a contract with a card processor, buying or renting the hardware associated with it, and assuming responsibilities related to security. 

One of the ways to protect that data is through PCI compliance. The Payment Card Industry Security Standards Council, whose members include Visa, Mastercard, American Express, Discover, and JCB, have created a series of benchmarks that businesses follow to care for and safeguard their customers’ cardholder data. Failure to comply with PCI DSS compliance can devastate a business. 

According to published reports, approximately 60% of small businesses who don’t comply with the standards, could lose up to $200,000, and go out of business within six months of a data breach. That figure includes:

• The cost of a forensic investigation into the data breach
• Fines and penalties from the payment processor and financial institution, which vary based on business size, and scope and duration of noncompliance

Business operators sit on a goldmine of data and face multiple security challenges, and hackers typically stop at nothing to gain access to that information. Take serious strides to protect your business and customers from the devastation a data breach can bring.

• Learn about the security measures you can expect from POS dealers and payment processors.
• Accept EMV chip cards only. Those chipped cards, when processed through proper EMV-enabled hardware, offer more security and protect against theft and fraud. 
• Adhering to PCI security requirements isn’t a one-time task. Weave the standards into your business’ daily operations and culture. Just because standards are met once doesn’t mean you can’t get breached if an unaddressed vulnerability occurs in the future. An ongoing commitment to security is the only way to protect your business and customers.
• Partner with a processor that minimizes your liability by encrypting card data within a secure acceptance device and using tokenization for stored data. That way, no viable card data will be exposed during transactions or saved in your business’ systems. No credit card data storage = lower risk.