Pasta, Meatballs and Credit Card Theft

March 28, 2007 — -- The next time you go out for some pizza, a nice steak dinner or even a trip to the salad bar, you might get something else with your meal: identity theft.

The most common place for credit card information to be stolen is at a restaurant, according to Visa.

The credit card company, which constantly monitors cardholder transactions and data for fraud, has determined that 40 percent of all credit card theft occurs at dining locations -- more than at any other type of merchant.

Gourmands are not being ripped off by waiters or busboys who quickly copy down their information, although that can happen. The problem is a bit more high tech than that.

Most of the theft actually occurs when hackers break into a restaurant's computer system and download the credit card information.

Visa is now starting to crack down on restaurants and other merchants that aren't properly storing credit card data.

Jennifer Fischer, a director in Visa's payment systems risk and compliance department, said the company was not sure why restaurants were more of a target than other businesses.

The running theory, she said, is that once vulnerability is found at a particular well-known restaurant franchise, crooks then exploit that weakness across the entire chain.

Restaurant Industry Skeptical

The National Restaurant Association, which represents 935,000 food outlets nationally, said it was not aware of many problems and was "astonished" to see such a high figure from Visa.

"I don't think that there is any greater problem in our industry than anywhere else," said Todd Mann, senior vice president of business development for the association. "We have just as much interest as the neighborhood Gap store and others in making sure that we're protecting consumer data."

Mann said that every day 192 million people eat at a restaurant in America and that because of that volume he could see why there might be more cases of theft from restaurants.

Hacking Into Stored Data

The theft problem stems from how some merchants -- including restaurants -- store data.

When a credit card is swiped for payment, several pieces of information are provided. Merchants receive the account number, the expiration date and a verification code that Visa and other credit card companies use to confirm the transaction.

That verification code is not supposed to be stored on the merchant's computer, butt Visa's Fischer said that some companies stored the code.

If thieves gain access to that data, they can create a copy of the credit card that can be swiped at stores.

Visa is going after some of the nation's larger restaurant chains, planning large fines for chains found to be improperly storing customer data.

Visa's top 1,200 merchants -- mostly chains representing two-thirds of its $1.6 trillion in annual transactions -- have until the end of this week to confirm that they are not storing improper data. Those who fail to meet the standard could be subject to fines of up to $10,000 a month, through their merchant banks.

Visa would not identify which chains had been the source of problems.

Last year, Visa levied $4.6 million in fines across all merchant sectors, up from $3.4 million in 2005.

Fischer said Visa was trying to work proactively with merchants, getting them to update software so crucial personal information was not stored on their systems. She said the fines were a last resort.

A spokesman for MasterCard said the company did not disclose information about its fines or which types of merchants had more problems than others.

Cards Are Restaurants' Bread and Butter

Credit cards are vital to the restaurant industry. A majority of diners pay with them, and a Visa study of 100,000 quick-serve restaurant transactions showed that customers using plastic spent on average 30 percent more than those paying with cash.

Restaurants also pose another threat for credit cards: They are one of the few places where a card leaves its owner's sight.

There have been cases of dishonest employees who -- with the help of their own hand-held scanner -- downloaded the card's data for their own illegal uses later.

Paul Stephens, a policy analyst for the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy group based in San Diego, said those thefts were probably underreported because they did not affect as many people at once as a hacker stealing a restaurant's entire database.

So what can consumers do?

"Unfortunately, there really isn't a whole lot that one can do. You can't follow the employee back to wherever it is they take the credit card," Stephens said. "One choice obviously, if you really want to be careful, is you don't use your credit card in a restaurant."

But Stephens noted that credit cards came with financial safeguards that essentially held the consumer harmless for fraud. He suggested that people check their statements regularly and notify the credit card company if they notice anything irregular.

Making Transactions Visible

Some of the large national restaurant chains are taking steps to ensure that credit cards never leave the table.

Last month, Ruby Tuesday restaurant announced it was outfitting all of its waiters and waitresses at its 900-plus locations with portable credit card scanners, allowing them to charge the tab in front of patrons. The company said it was a proactive measure to protect against theft.

Juan Fuentes, manager of Pappardella, an Italian restaurant in New York, said that 80 percent of his customers paid with credit cards.

Fuentes said that people had not raised security concerns with him and that Pappardella showed only the last four digits of a credit card number on its receipts.

The only time he sees a shift away from credit cards is around Christmas, something he attributed to diners having more cash because of year-end bonuses.