Here’s How Old POS Systems Get Retailers Screwed
Understanding the potential implications of the Sonic breach to your business.
Hold the onions … and my personal banking info!
Two years ago, Sonic Drive-In experienced a massive Point of Sale system breach. In September 2017, financial institutions noticed fraudulent charges on numerous cards that had previously been used at the fast food chain. Days later, Krebs on Security reported that a batch of five million credit and debit cards had suddenly shown up for sale online. Krebs’ banking insiders bought some of the cards to investigate, confirming that they had indeed been recently used at Sonic.
Fast forward a year and a half to last May for the real day of reckoning. American Airlines Federal Credit Union—the financial institution that incurred most of the cost stemming from this breach—sued Sonic last spring to recoup millions in expenses.
“The credit union said that because of the breach, it had to cancel or reissue cards, close accounts, block transactions, refund affected customers and increase fraud monitoring efforts,” reported The Oklahoman. (Sonic is headquartered in Oklahoma City.)
Lawyers representing AAFCU claimed that “nearly a quarter of Sonic’s restaurants used POS systems that were nearly thirty years old.” More to the point, that ageing software wasn’t receiving security updates, making it vulnerable to malware that was used to hack it and collect credit card information.
The basic mechanics of a POS security breach
Krebs explained, in the article cited above, how hackers use credit card info.
“Malicious hackers typically steal credit card data from organizations that accept cards by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers.”
And you thought your mother-in-law was annoying.
Who gets stuck with the tab when a security breach occurs?
Breaches such as the Sonic incident and the prior Wendy’s breach are especially costly when the breached locations are independently-owned franchises rather than corporate-owned chains. In such cases, banks and credit unions that issue cards bear the up-front burden because cards tend to be breached, re-issued and breached again. The Wendy’s breach went on for nine months and was far costlier than the notorious Target and Home Depot breaches.
On Oct 1, 2015, much of the liability for credit card counterfeit schemes shifted from financial institutions to merchants. Those who had failed to adopt chip technology for processing credit cards were officially on the hook for damages stemming from in-store security breaches. In the last 3 ½ years the shift has been impossible not to notice in day-to-day consumer transactions.
The change of law has also pertained to several 7- and 8-digit legal settlements. For instance:
- Home Depot settled a similar suit brought against it by financial institutions, in the amount of $25 million in March of 2017.
- Wendy’s lost even bigger, settling for $50 million for its 2018 security breach.
- In addition to the AAFCU suit, Sonic settled a $4.3 million class action lawsuit on behalf of numerous customers. The settlement entitled individual customers to payments ranging from $10 to $40. It concerned all 325 locations that were hacked, listed here.
Writing 172,000 checks (that’s $4.3 million divided by the average of $10 and $40) sounds like an unpleasant way to spend the weekend.
The good news is that, even in the event of a security breach, you won’t be held liable if you’re compliant with PCI (Payment Card Industry) Data Security Standards.
What’s the solution?
Even if your POS system doesn’t predate household internet, you don’t want to leave security up to “common sense.” Whoever you’ve partnered with for your CRM and point of sale needs should be experienced, responsive, and able to discuss issues like PCI compliance in plain English. You don’t just want a vendor—you want a partner who can act as needed as an advisor.
Whoever you’ve partnered with for your CRM and point of sale needs should be experienced, responsive, and able to discuss issues like PCI compliance in plain English.
If you have less than complete confidence in your software, or you’re using antiquated hardware, hopefully this will encourage you to deal with it proactively. Making big changes may sound like a pain, but it’s also an opportunity: Modern POS and CRM solutions actually take a lot off your plate, including manual data entry, to running promotions and other marketing and administrative stuff.