Mobile Payments & Loyalty Create New Avenues for Fraud
When it comes to loss prevention in restaurants, threats come from many areas: operators worry about the physical safety of employees and guests, stolen or spoiled inventory, and both internal and external theft. Now, with the introduction of new technologies, a fresh landscape of threats is developing that can lead to profit loss if operators are not vigilant.
“The [restaurant] industry doesn’t see as much shrink as the retail side, but with mobile payments, loyalty programs or gift cards using apps, restaurants need to be more protective of fraud,” says Jim Forlenza, executive director of the Restaurant Loss Prevention and Security Association (www.rlpsa.com). HT takes a look at three areas that can pose potential fraud risks for operators and offers precautions.
1. Mobile payment
With the onset of mobile payment technologies such as Google Wallet and Apple Pay, operators must be informed when it comes to exposure and loss. Confidence in mobile wallet security was shaken in March when a wave of fraudulent Apple Pay transactions hit Apple Stores. The Apple Pay system wasn’t hacked — rather fraudsters entered stolen credit card data into the phone. The fraudulent accounts were created in part with data stolen from Home Depot and Target, and are being labeled as a decidedly low-tech breach.
“Apple Pay is formidable, but it still sits on a loose foundation,” Richard Crone, chief executive of payments advisory firm Crone Consulting (www.croneconsulting.com) told the Wall Street Journal when news broke about the breach.
“We just started using Apple Pay, and are going to be opening up next month for other mobile payments,” said Brett Doherty, COO of Killer Shrimp (www.killershrimp.com), with four locations in California, and principal at SBD Consulting LLC, dba The Hospitality Collective (www.thehospitalitycollective.com), with 15 other hotels and restaurants. “The question is what will be the cause and effect on credit partners and how the POS will adapt.”
Just as with a traditional transaction, merchants can be hit by would-be thieves using stolen information. For example, someone could chargeback a bill asserting they were never at the restaurant and file a claim with the credit card company, Doherty explains.
“If a restaurant doesn’t have the card swipe showing it was physically in their presence, they could be charged,” he notes. “We get around 3,000 to 4,000 chargebacks each year, and we are waiting to see how the rules are going to change from the view of credit card companies, and how they will hold restaurants responsible for not having the physical credit card in their hand.” Doherty has queries into credit card processors regarding how they will handle these issues, to help restaurant operators put proper procedures in place.
Other operators are still waiting to see what shakes out with mobile payment, both on the consumer demand side and the security side. At Mellow Mushroom (www.mellowmushroom.com), based in Atlanta, Ga. and operating 180 locations in 20 states, they are taking the wait-and-see approach, and have not had many customers asking for mobile payment yet.
“A lot of people are intellectually curious about it, but nobody wants to jump in the water,” says Annica Kreider, vice president of brand development at Mellow Mushroom. “We have not had a groundswell of demand for it, but we like to be innovative, so it’s on the radar for us. It’s also the next biggest loss prevention concern, which is why we have not seen widespread adoption yet. Nobody wants to be the new guy, and then have a data breach.”
2. Mobile loyalty: Monitoring rewards to prevent loss
Many industries, including hospitality and retail, are taking their loyalty programs into the mobile arena, but again, this opens up new avenues for customer fraud. The key is to make sure technology is in place to limit fraud at both the mobile app and the POS.
“Those are things you have to put a lot of thought into on the front end,” says Kreider, who launched a mobile loyalty app pilot six months ago using the NCR (www.ncr.com) loyalty platform, Karmma, which is now running in 20 stores with plans for a full company rollout. “Rewards can be redeemed in real-time, and it does an automatic check reduction, but with this you have to build in a lot of loss prevention up front.”
The point of sale is increasingly being tasked to perform a multitude of functions and one of those is detecting instances when a customer might try to use a mobile coupon more than once or redeem a loyalty reward they already used. Preventing profit loss through rewards fraud requires that POS systems are integrated with mobile apps and loyalty programs.
The planning for Karmma at the Mellow Mushroom included making sure a reward can only be redeemed one time in the system, and the guest or app holder can only scan two receipts per day to add to their loyalty points. This ensures a customer won’t give the app to friends to scan and add to their total, Kreider reveals. The app connects with the POS, and a consumer can redeem a reward from their phone. When they order the item and the check comes, they can scan the receipt and it will tell them what the new order total is with the reward applied. It also flags the POS system to let the server know a reward was redeemed.
“Once they do the redemption, we have it set up that they can’t double redeem, and it’s all done through the cloud in real-time,” explains Kreider. Another safeguard built into the system addresses large catering orders with a high dollar amount. Rather than giving access to all the reward thresholds the amount might cover, it goes in as only one transaction, and the customer will only get the next reward threshold available.
3. The POS connection
Finally, don’t forget the role that the POS plays in loss prevention. Both internal and external fraud can be monitored and deterred by proactive planning and systems set-up. “Aside from hiring the right people, which is really number one for internal theft, the POS being configured properly is the most important,” says Chris DeSaye, director of IT for Hillstone Restaurant Group (www.hillstone.com) in Beverly Hills, and operating 52 restaurants. “Things like making sure you check the box that says you won’t allow employees to do transfers are important. It’s up to the restaurant owner to figure out how to configure the system up front and what controls they want in place.”
Hillstone has also implemented a surveillance system from DTT (www.dttusa.com) to combat employee theft, but DeSaye says it’s used more as a deterrent than for catching someone. It can also work in conjunction with inventory systems to prevent or discover loss of inventory.
For its POS, Killer Shrimp relies on Digital Dining (www.digitaldining.com) to aid in loss prevention. “Firewalls and other safeguards deter fraud and theft, but our POS system includes better audit functions for reconciliation opportunities,” says Doherty.
Attacks against POS equipment will become harder to execute as mobile payment and chip-based cards become more common. As the Apple Pay hack demonstrates, thieves will target areas of greater vulnerability — an area that, in a shifting technology landscape — remains to be seen.
“The [restaurant] industry doesn’t see as much shrink as the retail side, but with mobile payments, loyalty programs or gift cards using apps, restaurants need to be more protective of fraud,” says Jim Forlenza, executive director of the Restaurant Loss Prevention and Security Association (www.rlpsa.com). HT takes a look at three areas that can pose potential fraud risks for operators and offers precautions.
1. Mobile payment
With the onset of mobile payment technologies such as Google Wallet and Apple Pay, operators must be informed when it comes to exposure and loss. Confidence in mobile wallet security was shaken in March when a wave of fraudulent Apple Pay transactions hit Apple Stores. The Apple Pay system wasn’t hacked — rather fraudsters entered stolen credit card data into the phone. The fraudulent accounts were created in part with data stolen from Home Depot and Target, and are being labeled as a decidedly low-tech breach.
“Apple Pay is formidable, but it still sits on a loose foundation,” Richard Crone, chief executive of payments advisory firm Crone Consulting (www.croneconsulting.com) told the Wall Street Journal when news broke about the breach.
“We just started using Apple Pay, and are going to be opening up next month for other mobile payments,” said Brett Doherty, COO of Killer Shrimp (www.killershrimp.com), with four locations in California, and principal at SBD Consulting LLC, dba The Hospitality Collective (www.thehospitalitycollective.com), with 15 other hotels and restaurants. “The question is what will be the cause and effect on credit partners and how the POS will adapt.”
Just as with a traditional transaction, merchants can be hit by would-be thieves using stolen information. For example, someone could chargeback a bill asserting they were never at the restaurant and file a claim with the credit card company, Doherty explains.
“If a restaurant doesn’t have the card swipe showing it was physically in their presence, they could be charged,” he notes. “We get around 3,000 to 4,000 chargebacks each year, and we are waiting to see how the rules are going to change from the view of credit card companies, and how they will hold restaurants responsible for not having the physical credit card in their hand.” Doherty has queries into credit card processors regarding how they will handle these issues, to help restaurant operators put proper procedures in place.
Other operators are still waiting to see what shakes out with mobile payment, both on the consumer demand side and the security side. At Mellow Mushroom (www.mellowmushroom.com), based in Atlanta, Ga. and operating 180 locations in 20 states, they are taking the wait-and-see approach, and have not had many customers asking for mobile payment yet.
“A lot of people are intellectually curious about it, but nobody wants to jump in the water,” says Annica Kreider, vice president of brand development at Mellow Mushroom. “We have not had a groundswell of demand for it, but we like to be innovative, so it’s on the radar for us. It’s also the next biggest loss prevention concern, which is why we have not seen widespread adoption yet. Nobody wants to be the new guy, and then have a data breach.”
2. Mobile loyalty: Monitoring rewards to prevent loss
Many industries, including hospitality and retail, are taking their loyalty programs into the mobile arena, but again, this opens up new avenues for customer fraud. The key is to make sure technology is in place to limit fraud at both the mobile app and the POS.
“Those are things you have to put a lot of thought into on the front end,” says Kreider, who launched a mobile loyalty app pilot six months ago using the NCR (www.ncr.com) loyalty platform, Karmma, which is now running in 20 stores with plans for a full company rollout. “Rewards can be redeemed in real-time, and it does an automatic check reduction, but with this you have to build in a lot of loss prevention up front.”
The point of sale is increasingly being tasked to perform a multitude of functions and one of those is detecting instances when a customer might try to use a mobile coupon more than once or redeem a loyalty reward they already used. Preventing profit loss through rewards fraud requires that POS systems are integrated with mobile apps and loyalty programs.
The planning for Karmma at the Mellow Mushroom included making sure a reward can only be redeemed one time in the system, and the guest or app holder can only scan two receipts per day to add to their loyalty points. This ensures a customer won’t give the app to friends to scan and add to their total, Kreider reveals. The app connects with the POS, and a consumer can redeem a reward from their phone. When they order the item and the check comes, they can scan the receipt and it will tell them what the new order total is with the reward applied. It also flags the POS system to let the server know a reward was redeemed.
“Once they do the redemption, we have it set up that they can’t double redeem, and it’s all done through the cloud in real-time,” explains Kreider. Another safeguard built into the system addresses large catering orders with a high dollar amount. Rather than giving access to all the reward thresholds the amount might cover, it goes in as only one transaction, and the customer will only get the next reward threshold available.
3. The POS connection
Finally, don’t forget the role that the POS plays in loss prevention. Both internal and external fraud can be monitored and deterred by proactive planning and systems set-up. “Aside from hiring the right people, which is really number one for internal theft, the POS being configured properly is the most important,” says Chris DeSaye, director of IT for Hillstone Restaurant Group (www.hillstone.com) in Beverly Hills, and operating 52 restaurants. “Things like making sure you check the box that says you won’t allow employees to do transfers are important. It’s up to the restaurant owner to figure out how to configure the system up front and what controls they want in place.”
Hillstone has also implemented a surveillance system from DTT (www.dttusa.com) to combat employee theft, but DeSaye says it’s used more as a deterrent than for catching someone. It can also work in conjunction with inventory systems to prevent or discover loss of inventory.
For its POS, Killer Shrimp relies on Digital Dining (www.digitaldining.com) to aid in loss prevention. “Firewalls and other safeguards deter fraud and theft, but our POS system includes better audit functions for reconciliation opportunities,” says Doherty.
Attacks against POS equipment will become harder to execute as mobile payment and chip-based cards become more common. As the Apple Pay hack demonstrates, thieves will target areas of greater vulnerability — an area that, in a shifting technology landscape — remains to be seen.