Increasingly, one of the most pressing issues for lodging, restaurant and food & beverage industry businesses is credit card fraud. Increasingly, for your customers, the pressing issue is identity theft; and watching over their credit card transactions for signs of compromise after they visit any retail or service establishment. One might think that the primary threat for fraud (merchant) and identity theft (customer) during the non-cash transactions is only on-line over the Internet… think again. The potential for compromise in a one to one employee and customer interaction, compared to hackers getting into your credit report over the Internet, is during the physical bankcard transaction procedure at the point of sale. It is also the type of payment transaction that you have personal control over and can preclude fraud or “skimming” by using new technology and procedural controls at the time of authorization and payment capture during the sale. You should occasionally consider the question, “Are we (the merchant) doing everything we can to help our customers be secure from credit card fraud, skimming and identity theft at our establishment?”

So, as the story begins, I was on the phone with the General Manager of a boutique hotel and five-star Italian restaurant out in Southern California. We are friends, have done business and a certain level of trust has developed over time and he relates the following story to me.

He’s back and forth wearing all the hats as a GM that he can during lunch hour on a Friday. This means longer lunch hours for the executives visiting and entertaining in the restaurant, but it also means check in for the weekend at the hotel, both are connected through a giant arched passage that was made to join the two together years back. He’s standing at the hotel desk and looks across at a waitperson he hired some months back and notices they are lingering by the cash register alone. At first he thinks they should be doing something, should be providing service and he wanders over to check on them. As he gets closer he notices they are sort of hiding what they are doing and position themselves with their back to anyone that would walk up to the counter. He walks around them and notices they quickly stick a small “black block” into their apron and then smile, laugh a little and start to process a credit card they were holding at the POS terminal. My friend is innocent, thinks the best of people at all times, but is curious and begins to ask questions. He knows they have had the credit card and that some time has passed; that something is not right and the procedure is taking too long and the customer waiting at their table may become impatient. He asks some questions like, “is there a problem?”, “can I assist you?” and again, smiles and a nervous laugh from the waitperson. Next, “what’s in your apron pocket that I saw?”. Back and forth they go, nervousness continues to get worse, he doesn’t know exactly what is going on and so he asks for them to follow him to his office. Once in the office he orders them to empty their apron pockets onto his desk. Pens, order book, tips, odd pieces of paper, keys and the “black block” appear. He picks up the “black block” and notices it’s quite small and has a slot down the center just like a credit card swiping terminal. At first he doesn’t know what it is, nor does he suspect anything, but he keeps it and orders the person back to the floor because business is still great that day.

To make an even longer story short, the waitperson does not show up for work the next day and he takes the “black box” with a card slot to an electronics store on his lunch hour and asks, “do you know what this is?”. The electronics store manager says, “yes, it’s a magnetic strip card reader, or mag-stripe reader, it’s used for reading the personal and account data off of credit cards or drivers licenses.” My friend realizes he’s innocent no more, has heard of and watched the news on credit card skimming, but now knows that an employee was “skimming” credit card information and probably selling it to someone.

According to the U.S. Secret Service, yes, the same people who handle counterfeit money problems, “credit card skimming” plays a central part in identity theft and counterfeit identification cards; and is the fastest growing type of crime they handle in the United States this moment.

Some quick background on “skimming” and “magnetic strip readers” that owners and managers of hotel, restaurant and bar/club establishments should be aware of. First, the Internet is full of “honest” companies with “do it yourself kits” and “hacker sites” for building or buying MSR’s (magnetic strip readers) that read, store and transfer the information on tracks 1 and 2 to another blank magnetic strip inside the MSR or to a device connected to the MSR. There are no less than 15 different manufacturers of mag-strip readers. They can be configured to connect (serial, parallel, PS2, Bluetooth, USB, game port, RS-232) to a computer, POS terminal, printer or hand held device that decrypts the magnetically stored data into usable information. The data that is stolen is usually sold or transmitted by the employee to a “buyer” who recruited the employee in need of “extra income”. Your customer’s bankcard information is then sold for as little as $50 per “swipe” and up to hundreds of dollars for premium card data. MSR’s look like some of these examples:

In the end, the purveyors of stolen credit card data take the “black block” from the employee and hook the card up to their notebook computer, feed the data into a software program (often comes with the kit) and utilizes it to “write” the information to a new card or try and use it for telephone or Internet “voice” purchases. Any establishment still using a card imprinter for processing is most vulnerable to fraud because the time lag for processing and depositing the tickets at the merchants bank. A waitperson, as in my friends scenario, could pick up several “swipes” a day for a potential $500-1000 a week extra income.

Merchant card acquirers, processors and card issuers are doing quite well with developing procedures and layered technologies to identify fraudulent use of credit card data, however; you can add integrity to the bankcard transaction at the “front end” of the transaction cycle and add a high level of confidence with your customers by adopting new wireless mobile credit card processing technology and subtly communicating new procedures that give the customer a choice to:

  1. let their card disappear with the staff for processing at the counter or POS area or
  2. watch their card being processed in their presence at their table, door or other customer convenient area with a wireless mobile bankcard terminal taken to their location or
  3. the customer takes the card up to the counter or POS area and observes processing.

Communicate the option for providing physical integrity of the bankcard transaction process in their presence by having employees “refuse” to remove the card from their presence with an offer for the three options above. Then see, over time, if bankcard transactions in the customer’s presence are requested more frequently.

The solution is to provide and train for new wireless mobile credit card terminals for your managers and employees to offer customers or to utilize based upon new operational policy. Your employees and managers can deliver products or services with a bill by taking the point of sale to the customer and then process the credit card at their door or table, in front of their eyes. Staff can bring the portable terminal to the restaurant table and offer to process the bill at the table instead of removing the bankcard from the customer’s sight. If you cater events, provide deliveries, host a bar at events, offer in room check out or need a “back up” terminal for busy days, bills can be processed at the customer’s location, no matter where they are, with wireless mobile terminals.

How does this work? Well, a variety of wireless mobile credit card POS terminals are available from Verifone, Hypercom, Lipman-Nurit and Motorola that operate on batteries, are cordless and employ wireless technologies to transmit and process data just like your cell phone, personal data assistant or notebook computer. They use CDMA/GSM (dual band) / GPRS and Wireless LAN (802.11b) / WiFI (802.11i) to authorize and capture bankcard transactions away from your cash register. They can batch and transmit data just the same as your cabled credit card terminal via built in TCP/IP or dial-up modem. You have many options including storing the transaction in the unit after the pizza delivery and then “batching” directly from the unit at closing; or, you can swipe the credit card at the restaurant table and transmit the credit card transaction over your WiFi network back to your wireless networked POS or PC. For businesses that deliver to hotels, homes and businesses; say pizza restaurants, you can authorize over the phone and then swipe (capture) the card transaction at the customer’s door and get the signature on the spot. This offers an added benefit of lowered bankcard transaction costs (swiping versus keyed) and can help pay for the cost of a new mobile terminal. The options and applications are open here, but the main point is to have a mobile technology that’s simple for employees to process credit, debit, bankcards in the customers presence, which precludes any opportunity to “skim” credit card data and adds a tremendous amount of confidence with your customers regarding your establishment’s integrity.

My three picks for mobile wireless technology terminals are the Verifone Vx 610, Lipman-Nurit 8000 and FHMS Motorola AirProfit. These terminals offer a completely integrated card processing, integrated pin pad and batching solution, yet very simple to operate, with ATM machine style keys and menus. The Nurit 8000 has all the same features, but added an integrated signature capture pad, whereas the Vx 610 and the Motorola AirProfit get the signature on the printed thermal paper receipt. They also have built in data encryption security, RS-232 peripheral port, RJ-45 cable networking port and dial up modem (RJ-11 port), RF modem and TCP/IP batch transmission interface. All authorize and capture payment by bringing the POS area to the customers location.

I would not recommend any terminal that uses Bluetooth technology as this is not a secure data transmission protocol and is subject to “Bluejacking” or “Bluesnarfing” as hackers call it. This is where hackers can capture information from a Bluetooth enabled device (cellphone or personal data assistant) at distances of up to a quarter mile, transmit it to their notebook computer and then use the data for malicious purposes. Bluetooth is a personal networking technology and is not a secure business wireless network solution. In our scenarios for discussion here, bankcard information could be “hacked” or retrieved if your Bluetooth terminal were out in open public areas, such as a patio café, delivery or outdoor catered event.

Now, back to the question… and if not, why not take action towards utilizing mobile wireless terminal technology and training employees for new operational procedure changes to help protect your establishment from fraud and your customers from identity theft. Why leave the burden of trust with customers on your employees or risk your good name in the community to being tarnished?

© Clayton Gilman 2005

Clayton Gilman represents First Horizon Merchant Services, Inc. () one of the top non-cash payment solution providers in the hospitality industry and is an authorized vendor/supplier to all lodging and restaurant industry franchises. He offers merchant card services, factored credit lines and other non-cash payment solutions to his clients in the hospitality, retail chain and leisure industries. He can be reached in Tulsa at: (918) 398-0968 / [email protected]

Clayton Gilman