Skip navigation
Ruby Tuesday gets headlines for all of the right reasons

Ruby Tuesday gets headlines for all of the right reasons

Casual-dining restaurant operator Ruby Tuesday Inc. recently made credit card security headlines by doing everything it could to avoid making credit card security headlines.

“I don’t want it to be in the headlines that someone broke into Ruby Tuesday [data files],” said Nick Ibrahim, the Maryville, Tenn.-ed chain’s senior vice president and chief technology officer.

Ibrahim made that remark while explaining why his organization has begun using AES data encryption and has changed its credit and debit card data handling routine at company restaurants. These actions are helping Ruby Tuesday reduce its liability and protect customers from identity theft, he said.

“We do not hold credit card data once we settle the [daily] batch [of authorized transactions],” Ibrahim explained. “Since Friday batches are not revised until Monday, [we] have to keep the batch information for four to 10 days until the bank gives us a [reconciliation notice] for that batch. Once we pass the deadline, the data is removed completely.

“This batch information is only [parked temporarily] in the store. Corporate stores absolutely nothing,” he added.

He said that transaction authorization arrives as three hash marks and the last four digits of the number of the card involved.

“In the past, credit card information for the day [was] readable in the store and [at] corporate,” Ibrahim said. “Currently, credit numbers are not readable, and corporate has no number except the…last four numbers of the cards.”

In a climate where media are sensitized to the potential liability to consumers and their merchants posed by improperly handled credit data and hackers or skimmers, Ruby Tuesday’s new, safer card-handling approach attracted attention and made headlines.

Ruby Tuesday had the new system in place at its more than 900 domestic, company-owned restaurants as of last month. As part of its development process, the operator modified scripts supported by Micros Systems’ RES 4.0 point-of-sale software.

Columbia, Md.-based Micros said that software out of the box complies with the new security standards put forth by the Payment Card Industry group, or PCI.

The move by Ruby Tuesday comes as some foodservice companies struggle to meet the new PCI security standards or explore alternative security options, such as those of Shift4 Corp., operator of the $$$ On The Net payment gateway with tokenization technology, and Merchant Link, with its TransactionVault architecture. It also comes as lawsuits are being filed against restaurant chains alleging that they are not in compliance with new federal regulations requiring the masking of credit card numbers and expiration dates on sales receipts to reduce identity theft.

Ruby Tuesday’s direct link to its merchant bank, without a middleman processor, makes its security plan easier to execute, and the company’s leased, frame-relay network gives it a security leg up, Ibrahim indicated.

By creating an infrastructure that safely handles card data, Ruby Tuesday is one roadblock removed from realizing its chief technology officer’s goal of safely deploying wireless handheld POS devices for tableside order processing and settlement. Such tableside functionality would eliminate or greatly reduce one of the other identity theft concerns among restaurateurs: card data skimming by the rare—but real—larcenous employee.

Ibrahim said his department spent six months on the card data security project. He acknowledged that passing card data straight through to the merchant bank creates more work for his company under certain conditions, such as in card-charge-back situations.

“It’s not going to be any easier,” Ibrahim said of card transactions under the new arrangement.

TJX Cos. Inc., which is based in Framingham, Mass., and owns the T.J. Maxx and Marshalls retail chains, among others, reported earlier this year that its computers had been hacked, potentially exposing millions of consumers to credit fraud. The development was widely reported.

It was the type of headlines that plagued TJX Cos. that undoubtedly compelled Ibrahim and his company to make news of their own.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish