Casual-dining restaurant operator Ruby Tuesday Inc. of Maryville, Tenn., recently made credit card security headlines by doing everything it could to avoid making credit card security headlines.
"I don't want it to be in the headlines that someone broke into Ruby Tuesday [data files]," the chain's senior vice president and chief technology officer Nick Ibrahim commented to me.
Ibrahim made that remark while talking about why his organization has begun using AES data encryption and has changed its credit and debit card data handling routine. These actions are helping the restaurant company reduce its liability in the battle to protect customers from identity theft, he indicated.
"We do not hold credit card data once we settle the [daily] batch [of authorized transactions]," Ibrahim explained. "Since Friday batches are not revised until Monday, [we] have to keep the batch information for 4-10 days until the bank gives us a [reconciliation notice] for that batch. Once we pass the deadline the data is removed completely."
"This batch information is only [parked temporarily] in the store. Corporate stores absolutely nothing," noted Ibrahim. He added that transaction authorization arrives as three hash marks and the last four digits of the number of the card involved.
"In the past, credit card information for the day [was] readable in the store and [at] corporate," Ibrahim said of the previous state of affairs involving Ruby Tuesday company restaurants. "Currently, credit numbers are not readable and corporate has no number except the [hash marks] and the last 4 numbers of the cards."
In a climate where consumer and business media are sensitized to the potential liability to consumers and their merchants posed by improperly handled credit data and hackers or skimmers, Ruby Tuesday's new, safer card-handling approach attracted attention. That notice led to headlines and coverage in a variety of media outlets ranging from USA Today to Nation's Restaurant News.
Ruby Tuesday expects to have the new system in place at its more than 900 domestic, company-owned restaurants by April 5. As part of its development process, Ruby Tuesday modified scripts supported by the chain's Micros Systems' RES 4.0 point-of-sale software. Columbia, Md.-based Micros said that software out of the box complies with the new security standards put forth by the Payment Card Industry group, or PCI.
The move by Ruby Tuesday comes as some foodservice companies struggle to meet the new PCI security standards. It also comes as lawsuits are being filed against restaurant chains and other retailers alleging that they are not in compliance with new federal regulations requiring the masking of credit card numbers and expiration dates on sales receipts to reduce identity theft. Neither of those issues should be concerns going forward at Ruby Tuesday company restaurants.
Ruby Tuesday's direct link to its merchant bank, without a middleman processor, makes its security plan easier to execute. And its use of a leased, frame-relay network gives the chain a security leg up, compared with networking across the Internet, Ibrahim indicated.
One of the great things about the new approach to card security at Ruby Tuesday is that it supports one of Ibrahim's visions for the chain. By creating an infrastructure that safely handles card data from the outset, the chain is one roadblock removed from realizing its chief technology officer's goal of safely deploying wireless handheld POS devices for tableside order processing and settlement. He said he'd eventually like to see "everything happen in front of the guest."
Such tableside functionality would eliminate or greatly reduce one of the other identity theft concerns among restaurateurs: card data skimming by the rare, but real, larcenous employee.
The full extent of liability tied to the theft of consumer credit information in the care of restaurateurs or retailers is not fully known, as we have not been in the age of hackers and card-skimming devices long enough to have a full body of court cases or judgments to guide us. But you have to believe that the loss-prevention team for TJX Cos. Inc. is playing out scenario after scenario even as you read this. That Framingham, Mass., company, which owns the T.J. Maxx and Marshalls retail chains, among others, reported earlier this year that its computers had been hacked, potentially exposing millions of consumers to credit fraud.
It was just the sort of headlines suffered by TJX Cos. that Ibrahim and company worked hard to avoid.
Ibrahim said that about 70 percent of his department spent six months on the card data security project. And he acknowledged that the strategy of passing card data straight through to the merchant bank creates more work for his company under certain conditions, such as in card-chargeback situations.
"It's not going to be any easier," Ibrahim said of card transactions under the new arrangement.
It was clear to me, that the second half of that thought, left unsaid, was an unequivocal, "but it will be safer."