Now on the menu at Ruby Tuesday: Better security

The restaurant chain is changing how it handles credit, debit cards

Restaurant chain Ruby Tuesday is adding more beef to its credit card security measures.

Concerned by growing incidents of credit card fraud, the company is in the process of rolling out new point-of-sale (POS) hardware and software at each of the more than 900 Ruby Tuesday restaurants in the U.S. The company is also eliminating its previous practice of storing customer transaction data in its POS systems and has cut out the third-party processor that used to handle payment card transactions. Instead, it is now directly linked to its merchant bank.

The wide-ranging moves are aimed at better protecting customers using credit and debit cards, said Nick Ibrahim, senior vice president and chief technology officer at Ruby Tuesday. It will also bring the company fully into compliance with the Payment Card Industry (PCI) Data Security Standard mandated by Visa International, MasterCard Worldwide and other credit card companies.

"This, in reality, is not helping us create more sales," Ibrahim said. "This is purely about the privacy and security of our customers."

Under PCI, Ruby Tuesday, like every other entity that handles payment cards, is required to implement a series of measures, including encryption, stronger access controls, and transaction logging and auditing to secure credit and debit card transactions. PCI forbids companies to store transaction data on POS systems and requires them to ensure that any third party handling payment card data on their behalf has the required controls in place.

According to Ibrahim, Ruby Tuesday's new POS systems support a much stronger form of data encryption than what was available previously. With it, Ruby Tuesday will also soon be able to accept and conduct credit card transactions at restaurant tables in the presence customers, he said.

The decision to eliminate customer data entirely from its POS systems is likely to affect the restaurant chain's ability to handle credit card chargebacks and other problem transactions, Ibrahim said. But it offers better security and is more efficient than the company's earlier systems, in which Ruby Tuesday used to store up to 10 days' worth of encrypted customer data.

Getting rid of the transaction processor means that Ruby Tuesday will have to spend less time on PCI audits, Ibrahim said. If the company had not done so, it would have been responsible for ensuring that the processor was compliant with PCI requirements, which would have added to the compliance burden, Ibrahim said. "I just realized we'd be doing someone else's work for them," he said.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon