Someone with a Secret Service badge has just informed you that she believes credit card numbers are being stolen from your restaurant by a European organized crime ring. That person says it is because you plugged your wireless access point into the wrong port. Angry people are standing across the counter; their bank accounts have been drained, and they are accusing you of stealing their rent money. Visa is saying that you have to pay $12,000 for a forensic audit of your POS. All because you wanted to offer free wireless.
In the wake of Sam's Club this week adding its name to major chains now supporting free customer Wi-Fi, this is no longer a cutting edge experimental endeavor. Let's back up about 18 months, when you made the decision to install a wireless hotspot for guests. At the time, you were feeling pressure to keep up with the other area restaurants that were stealing away your customers because they had wireless and you didn't. After talking to your nephew Steve, who studied computers in school, you decided to implement wireless in your store and it was pretty easy. You went to Best Buy, picked up a wireless access point for less than $100, came back, plugged it into the DSL modem and followed the directions. You had it up and running in under an hour. Remember how you were so proud of yourself?
Then, after a few months, the service stopped working. Guests started to complain. When you went into the back to investigate, you found your office shelf a mess. Wires were everywhere, and you saw a bunch of unidentified electronics. You think one piece might be for the old cable modem. And at least one runs the music, while another is for the TV and a third goes with the video cameras. You reach behind what you believe is the DSL router and start rebooting things. It doesn't fix the problem, so you start looking at cables to make sure they are plugged in all the way. Maybe one was loose. Where did that one go again?
After half an hour, you give up. Steve isn't around, so you grab one of the kids who works the register and is always talking to his friends on Facebook on his phone (instead of working) and ask him to fix it. He messes around for a while and eventually connectivity is restored. Phew. Thankfully. But the kid doesn't say what did the trick, and you don't ask. You're just happy to be back up and running again. Little did you know that this moment in time may cause you to lose your life savings and shut down your restaurant.
Why? Because what that helpful crew member didn't say was that he got the wireless to work by:
- Unplugging the firewall.
- Changing the firewall rules.
- Moving it to the POS network.
- Or who knows what else.
Stuff like this happens every single day. Restaurant operators feel the pressure to offer wireless service because it has become an industry standard. But they often have little idea of how to either properly set it up or maintain it. Such a seemingly little thing can have such a disastrous impact. This fictitious scenario assumes the wireless access was set up correctly in the first place, which I would venture to guess is not accurate in many cases. Even if someone who knew what he was doing set it up, it is unlikely to be in the same state a few months later. Stuff happens.
I can't tell you how many restaurants I have visited that has POS plugged into a wireless router plugged into a DSL modem. No firewall in place; wide-open wireless access settings. It is by far the "easiest" way to get all the components to "work."
When I ask an operator about the setup and why the shop doesn't have a firewall, that person says, "We do have one!" And I am shown a box clearly stating that this little beauty-of-a-device is a "Router/Firewall/Wireless Access Point." I then ask, "Have you configured the firewall rules?" The response: "Uhhhhh. What rules?"
Silly or not, even the formatting of the PCI Council's self-assessment questionnaire (SAQ) can come into play. If you look very closely at the SAQ-C, Requirement 1 is listed as "Install and maintain a firewall." I have had more than one person repeat that to me. The problem is, that's not the entire requirement; there is an awkward line break. The actual requirement says "Install and maintain a firewall configuration to protect cardholder data." Configured or not, our fictitious restaurant has a firewall in place, so management thinks it can check that particular SAQ box.
So what can operators do to make sure this problem doesn't happen to them?
- Keep wireless guest access separate from the POS network. Get a second DSL line or use a cellular-based wireless access point (like MiFi) instead.
- Create a drawing that shows how things are connected. Make sure that drawing is as detailed as possible.
- Label the ends of all wires. It can be as simple as masking tape wrapped around the ends, but clearly call out where each end of each cable is "supposed to be" plugged in.
- Keep cables neat and organized. Use cable ties or zip ties or even electrical tape. The more tangled the wires are, the more chance for error.
- Label each piece of equipment with its purpose and who supports it, along with that person's phone number. Remove any equipment no longer in use.
- As silly as it sounds, put electrical tape over unused ports on a router or modem. It may stop someone from accidentally plugging in something.
- Have an IT person periodically look things over and make sure everything is OK. Use someone you trust, not just a kid from down the street.
- If you have to guess at anything, STOP! If you are not sure what a device does, talk to someone who can help you out. Guessing can get you into a lot of trouble.
Although these pointers will help, being compliant ultimately comes down to understanding that the IT systems in a restaurant are critical and should be treated with care. One small configuration error can have a dramatic impact on the business.
What do you think? Leave a comment, or E-mail me at [email protected]. You can also follow me on Twitter: @todd_michaud.
A bike crash and a nagging case of shin splints have really slowed down my Ironman training. Read more at www.irongeek.me.
Term Of The Week: "Free CriFi"--a pun on "Free Wi-Fi" describing when wireless access is set up to allow criminals easy access to credit card data. "I was able to snag those dumps using their free CriFi. Holla!"