I am a creature of habit.
I get up, get dressed, and go to work just like most people do. Most days, nothing out of the ordinary happens and that’s just the way I like it.
When I get home, I pull in the driveway, park, and head straight for the mailbox. Usually, it’s mostly junk mail and bills. On special occasions and holidays, we’ll get cards from family and friends.
Today, however, the mailbox was empty. When I got in the house, there was a stack of mail on a table in the foyer.
My wife had a worried look on her face and was holding a letter in her hand. It wasn’t like the last time she held a letter in her hand. Last time, she was excited because our son was accepted into a business program at the state college.
Today was much different. I asked her what was wrong. “We got this letter from the credit card company telling us that our card number was one of thousands stolen,” she said. “They closed our account and will be sending us another one soon.” I was surprised, but not shocked, this happened because I hear about it on the news all the time; only now, it was happening to us.
I began to trace my steps back to the last couple of times I used that card. Could it have been when I used it at the gas station? Or that time my wife and I went to dinner? The server did take a bit longer to return with our check I remembered.
Make sure your POS system is chip-enabledI guess it didn’t really matter where it happened — just that it happened. I wasn’t responsible for the charges but it was frustrating to know how vulnerable our financial and personal information is in this digital age we live in.
The next weekend, my wife and I went to visit our son at his dorm room. He introduced us to his roommate who was a computer science major. Somehow, his roommate got wind of our credit card debacle and gave us some unsettling but sound advice. He told us that getting breached is not a matter of if but when and that it’s good practice to be security minded when it comes to financial and personal data.
Then I started thinking about all the car wash operators out there using the same POS hardware and software most retailers use.
Are we all just supposed to lie down and wait for the inevitable to happen? The quote “Hope is the pillar of the world” came to mind because as an industry we can either simply throw our hands up in the air in despair about what seems like a losing situation or be proactive and strive to do better.
Hoping you aren’t the victim of cybercriminals is not a strategy.
When I got back home I did some research and contacted some colleagues with expertise on ways to keep your POS system and customer information safe from cybercriminals.
Here’s what I learned every car wash operator should know about avoiding point-of-sale fraud:
We’re Easy Targets
Cybercriminals target POS systems because they’re widely available. It just so happens that half of the world’s credit card fraud occurs right here in the United States because we are the world’s single largest user of payment cards.
We’re Using Outdated Technology
Outdated, magnetic-strip technology is still widely used in many places in the United States. Wash operators who want to accept credit and debit cards should adopt EMV Chip-and-PIN technology if they haven’t already. The encrypted code technology of EMV cards, combined with PIN protection, makes transactions 700 times more secure. If you have the option, get an EMV terminal that allows for phone tap/NFC (near field communication) payments as well as Apple/Google Pay. Cybercriminals like to attack low-hanging fruit, so make sure your POS system is chip-enabled.
We Are All at Risk
Large retail breaches seem to dominate in the headlines, but small and medium-sized businesses are also victims. The smaller businesses are a target because their POS systems are usually not as safeguarded as larger systems.
Cybercriminals Are Quick Minded
Security experts believe that even though Chip-and-PIN technology is being adopted in most places, it won’t be long before cyber thieves find new vulnerabilities to target. Either way, wash operators are encouraged to improve the security of their infrastructure and have an incident response plan in place.
Internet Connection
Almost everyone has some sort of device connected to the Internet. The problem is being connected to the Internet provides criminals with a point of entry to wash networks. Your POS system should be completely firewalled from the Internet to keep external threats from getting in.
Secure the POS
Lock the door to your POS system each night — if it has one — or introduce some other physical barrier to the card reader to prevent the introduction of skimmers during off hours.
Keep Customer Card Info off Local Networks
Whenever possible, use tokens to store any financial transactions. Now I’m not a tech guy but experts I spoke with told me that tokens act as a form of authorization to proceed with a transaction. This replaces storing your customer’s card information on your local computer network. A thief can’t steal what isn’t there, which makes tokens a nice security feature. Tokens, albeit more secure, do require an uninterrupted Internet connection. If you go this route look to invest in a fail-safe Internet hotspot that automatically rolls over to cellular if your landline is down.
Variety of Attack Methods
Attack methods like skimming and memory scraping intercept payment card data. Another way criminals get access to a network is to send a malicious attachment or link in what’s called a spear-phishing e-mail to an individual in a company. That’s why it’s important to educate employees about both attack methods and ensure permissions are in place to restrict access to the Internet from the POS system. Employees must also be trained to never access personal online accounts from the wash’s network and to take a proactive role in understanding the technology the POS is built upon making sure patches and other updates are current.
Third-Party Vendors
Third-party vendors or other partners can be a weak link in your organization’s data security armor. Choose reliable and security-minded third-party vendors or at the very least ask what policies they have in place.
A few things easily come to mind when I think about cybercrime: One, it seems to be happening all the time. Two, it’s not just a fast-rising type of crime, but largely a game of numbers — really big numbers in the form of lost revenue!
USE COMMON SENSE
The tips I pointed out above are admittedly from a little bit of research both online and with other experts. But based on my decades in the car wash business, there are a few other things I can point out to you that are just plain common sense and best practices to keep criminals out of your POS systems.
Subscribe to a credit-monitoring service.For one, installing a decent security camera/DVR system is always a good investment.
Next, run all reports nightly. How else are you going to know about discrepancies in gift cards, free washes, discounts, refunds, or anything else unusual? Hint: tracking each cashier separately with their unique usernames/passwords will allow you to see what each employee is doing when they are operating the POS system.
Last night when I got home, the mailbox was empty again but there was a stack of envelopes on the foyer table.
One of the envelopes was nondescript and had a hard piece of plastic in it, which turned out to be my new credit card. When I opened the envelope, my shiny new card, with the embedded chip, was there ready to use.
I was even offered a free 12-month subscription to a credit-monitoring service for my troubles. If you don’t subscribe to one of them, I strongly recommend you do so because you will get e-mail or text alerts if they find any suspicious activity in your name — and it doesn’t hurt your credit score.
Everything was back to normal — at least with my credit card account. I thought about how much I learned just by getting my original card info stolen and, in an odd way, how much it was all worth it.
Good luck and good washing.
Anthony Analetto has over 35 years’ experience in the car wash business and is a partner at SONNY’S The Car Wash Factory. Before coming to SONNY’S, Anthony was the director of operations for a 74-location national car wash chain. Anthony can be reached at (800) 327-8723 x 104 or at AAnaletto@SonnysDirect.com.