Most Likely Site of Credit Card Theft: Restaurants

Visa reports that more credit card information is stolen at restaurants than at any other type of business. 40% of all credit card information theft is traced back to restaurants. But don’t blame your waiter!

Even though you’d think it would happen when the waitstaff takes your credit card out of your sight, that’s not when it happens. It’s not even the local staff stealing your digits and going on a shopping spree, either.

Most of the theft actually occurs when hackers break into a restaurant’s computer system and download the credit card information. […] Jennifer Fischer, a director in Visa’s payment systems risk and compliance department, said the company was not sure why restaurants were more of a target than other businesses. The running theory, she said, is that once vulnerability is found at a particular well-known restaurant franchise, crooks then exploit that weakness across the entire chain.

It sounds like chain restaurants would be more vulnerable than mom-and-pop locales. But why are restaurants so bad about keeping your personal data sufficiently protected? MARK ASHLEY

Pasta, Meatballs and Credit Card Theft [ABC News] (Thanks Dr. Vino!)
(Photo: powerbooktrance)


Edit Your Comment

  1. datruesurfer says:

    Maybe someone can explain this to me: WHY do restaurants store this information?! Unless they are charging your card monthly for some kind of membership, they have absolutely no reason to be storing my card number in their system.

  2. DeeJayQueue says:

    …because restaurant owners do not care about their computer systems. They care about the ability to accept credit cards in general, and the ability to keep their waitstaff honest about what they put through to the kitchen. They go for the bare minimum system that will allow them to do this.

  3. facted says:

    Does anyone else notice that many resteraunts will print your credit card # and exp. date right onto the receipt that they keep (rather than the last 4 digits). What’s up with that? I know that it says that waitstaff don’t steal your credit card info generally, but this can’t be good for card security (+ if they ever throw those receipts away).

  4. Kyoko says:

    Boy, finally I could be a commenter on one of your topics beside just being a reader.

    Sam Woo (18908 Gale Ave, Rowland Heights, CA 91748
    (626) 913-0213), once charged me and my girlfriend 15% tip which we actually tipped them 10% and we did write down the EXACT AMOUNT that they should be getting. Instead, they put it themselves. It was just the two of us, and within their bill, they did not say anything about automatically add the tip to 15%.

    What we did to correct it was to call up sam woo, and tell them that we only put 10% and this is the exact amount. They corrected it, and it did show online that we got the difference.

    After that incident, we track down every spending that we did. Before I leave the restaurant, I write down the amount in my PDA, and then check them if it is the same amount in my online statement.

    Some restaurants, did charge us LESS for some reason. (Java Spice – 1743 Fullerton Rd, Rowland Heights, CA (626) 810-1366), but there are some other occasions that we did get charge more for it. (I don’t remember)

    RARE, but it does happen sometimes.

  5. grandaardvark says:

    Having been a manager in the restaurant industry, I can shed a little light. First off, restauarnts are not supposed to be printing your acct. number anymore. If they are, they haven’t upgraded their software, and are not in compliance with the law. Second off, it’s not a case of going for the most bare-bones systems, the restaurants I worked at all had fairly high end systems. Think about this: most restaurants now have Wi-fi, even if it is private. Retail stores generally do not. That immediately makes it more vulnerable to hackers. Most restaurants (including the high end ones I’ve worked at) don’t pay anyone using a laptop for an extended period of time any mind. Do you think the Gap would ignore somebody sitting in the middle of the floor for an hour with a laptop? It just seems to me that restaurants have some unique exposure points.

  6. facted says:

    @grandaardvark: Where is the account # issue a law? I currently live in NY and there are many restaurants that print my account # and I’d like to say something, but I’m not sure what I can do. Any suggestions?

  7. muddgirl says:

    I have had my credit card physically stolen at the same bar twice in the last few months.

    This has no particular bearing on the above story, I just wanted to share how retarded I am to keep going back there.

  8. everclear75 says:

    I’ve had my CC Number stolen @ a local chain steakhouse (Texas Roadhouse). Come to find out one of the busboys was somehow accessing the resturant computer to gather all sorts of CC #. Luckily my CC company @ the time(Chase), flagged it because the stupid DumbS**T tried to use a bogus card with my number to try to but 2000 dollars worth of CDs @ a mall music store.. And the music store got suspicious.
    AS far as the Acct # on a receipt it is illegal for businesses to have it printed on a receipt. Although there is this local doughnut shop who still prints on it. They look @ me funny when I take a pen and scribble thru the number.

  9. grandaardvark says:

    From The Fair and Accurate Credit Transactions Act of 2003:
    “Helping prevent identity theft before it occurs by requiring merchants to leave all but the last five digits of a credit card number off store receipts. This law will make sure that slips of paper that most people throw away do not contain their credit card number, a key to their financial identities”

    Here is a link to the page:

  10. grouse says:

    AS far as the Acct # on a receipt it is illegal for businesses to have it printed on a receipt.

    People keep claiming this, yet provide no evidence.

  11. isadora says:

    Can I just say 15% should be standard by now? I’d like to teach the world to tip and smile at their servers. Thank you.

    In related news, I had my debit card stolen at a very nice restaurant. They took it away with the tray and I didn’t notice (damn wine!) and they went to a 24-hour store and bought a TV before I noticed the following morning. I called the restaurant and they were completely rude to me and called me a liar. (Kruse & Muer–a Detroit-area chain of upper scale restaurants in case you care).

    Luckily, the bastard who took it got caught because they didn’t know they were under surveillance at the maga-mart! Score one for justice.

    And my bank was great about it!

  12. facted says:

    Here’s an interesting site about #’s on receipts.

  13. facted says:

    One interesting question is whether the law prohibits the numbers on both receipts that are given to you and the one held by the restaurant or only the one that is given to the customer.

    From the FACT: “[N]o person that accepts credit or debit cards for the transaction
    of business shall print more than the last 5 digits of the card number or the expiration
    date upon any receipt PROVIDED TO THE CARDHOLDER at the point of the sale or transaction.”

  14. unsunder says:

    I am a server at an independently owned italian restaurant. We just upgraded our system but before that you could go into the main computer and look at all the credit card numbers from that day. I’m pretty sure it’s the same across the board. Computers only store the daily transactions and they are all batch processed at the end of the day. The old system did come in handy somewhat often. Sometimes our computers lose the information when there are multiple credit cards on the same ticket (split check). So we would have to go into the system and run the card again manually. Keep in mind that running the card again only re-authorizes it and no charges are made until the batch later that night. I’ve had to rerun peoples card before and they are usually happy with the explanation.

  15. snoqBob says:

    Radiant Systems (Aloha) is probably the largest provider of POS systems in the country. They contract out services to support providers who are ‘certified’ via a parter assessment questionnaire. A questionnaire! Who in their right mind does this? You can imagine what safeguards that these support providers use when implementing these systems? Think PC anywhere loaded on their POS servers that are accessible from anywhere. No really! We refused their request to open up PCAnywere to any IP address, and insisted they use our VPN. I shudder every time I use a credit card in a restaurant.

  16. elisa says:

    California law says that the credit card number must be truncated on your receipt. Starting in 2009, it must be truncated on the merchant’s copy too. However lots of businesses have already upgraded to truncation on both (the business I work at has), but many businesses still do not truncate either (and are thus technically in violation). I don’t think it’s well publicized, I only know because I know someone who worked at the California Office of Privacy Protection (yes there is such an agency! first in the nation I think) and they got calls all the time from people and businesses with questions about this.

    Here are the citations:….
    “Credit Card Address Change – Civil Code section 1747.06.”

    and the actual civic code:

    1747.09. (a) Except as provided in this section, no person, firm,
    partnership, association, corporation, or limited liability company
    that accepts credit or debit cards for the transaction of business
    shall print more than the last five digits of the credit or debit
    card account number or the expiration date upon any of the following:

    (1) Any receipt provided to the cardholder.
    (2) Any receipt retained by the person, firm, partnership,
    association, corporation, or limited liability company, which is
    printed at the time of the purchase, exchange, refund, or return, and
    is signed by the cardholder.
    (3) Any receipt retained by the person, firm, partnership,
    association, corporation, or limited liability company, which is
    printed at the time of the purchase, exchange, refund, or return, but
    is not signed by the cardholder, because the cardholder used a
    personal identification number to complete the transaction.
    (b) This section shall apply only to receipts that include a
    credit or debit card account number that are electronically printed
    and shall not apply to transactions in which the sole means of
    recording the person’s credit or debit card account number is by
    handwriting or by an imprint or copy of the credit or debit card.
    (c) This section shall not apply to documents, other than the
    receipts described in paragraphs (1) to (3), inclusive, of
    subdivision (a), used for internal administrative purposes.
    (d) Paragraphs (2) and (3) of subdivision (a) shall become
    operative on January 1, 2009.

  17. elisa says:

    oh and this is the Office of Privacy Protection’s site, there’s tons of useful info if you’re interested:

    @Kyoko – I used to live in Rowland Heights, I know the restaurant you’re talking about. That said I think 15% should be standard unless the service is truly terrible…

  18. Trackback says:

    Here’s a quick look at some of the articles that caught my eye over the past week… Flexo talks about ten ways to spend your tax refund for fun. Jim reviewed the Chase Freedom reward credit card. FMF talks about a simple move that could save you a million dollars.