Go Kiosk by the Kiosk Industry Group

Looking at VistA EHR and VA

2010-07-04T15:38:46Z

Timely brief on VistA which is the EHR software available from the Department of Veteran Affairs. With the recent activity by the VA for it is good background.

Stephen Bowerman knows a bargain. He's chief financial officer at 320-bed Midland (Texas) Memorial Hospital, among the first users of OpenVista, one of several versions of the "free" VistA electronic health record software available from the Department of Veterans' Affairs. (OpenVista is developed and supported by Medsphere, Carlsbad, Calif.)

The system had been in place for two years when he arrived at the county-owned hospital in 2009, and Midland had just been validated as Stage 6 in the HIMSS Analytics EMR adoption model. The presence of advanced information technology helped induce Bowerman to take the job despite Midland's $14 million loss in 2008. Switching to a new accounting information system and tightening procedures such as co-pay collection and insurance verification helped Midland move to a $1.5 million surplus in 2009.

Bowerman describes himself as a "dangerous" CFO for the I.T. department, because he started his health care career on the I.T. side, implementing a cost accounting system for a government hospital. "At least I can ask intelligent questions," he says.

On costs

OpenVista is not free. The code is free, but how you implement it is not. If you had the resources and the right team you could implement it yourself, but we didn't feel like we had the resources. Medsphere helped tailor some of that free source code to our needs. We paid them to come out and help us implement the system and it wasn't cheap, but it was probably 30 percent to 40 percent of the cost of going with Epic or McKesson. It was early on and I'm sure Medsphere today could offer even more than they offered us. We were a beta site for some of their development and they've learned from us and can do it better. Our maintenance ticket is cheaper than it would be with one of the other guys.

Rest of article and source

Subway may be the first fast-food chain to utilize 2D barcode technology.

2010-06-07T16:30:05Z

Its newest marketing scheme allows customers to use their mobile phones to collect redeemable loyalty points off of Subway products.

Subway's marketing scheme will rely on Java-based software provided by Transactor Technologies Ltd., a specialist software development company. Transactor Technologies Ltd. offers comprehensive end-to-end solutions for its clients by providing functions such as customer and transaction management systems.

According to Transactor Technologies Ltd., the heart of its software suite is "Thor Transactor, which provides an open-platform processing engine that seamlessly interacts with traditional transaction capture and processing systems. This provides a bridge between older (legacy) installed systems and evolving or emerging transaction technologies."

Thor Transactor incorporates a powerful and flexible points management engine that enables very specific rules to be set for issuing and redemption of rewards. Transactor Technologies Ltd. offers a product relevant to this capability, called Loyalty+Plus. Loyalty+Plus is an application that allows the implementation of many types of functions, such as allowing cardholders to issue and redeem loyalty points. The software also tracks cardholder purchases.

Subway intends to follow-up on this campaign by releasing a more dynamiciPhone (News - Alert) application at a later date. It is a wise decision for the company, as iPhones now comprise over 14 percent of the smartphone market. This makes Apple (News - Alert) the third largest smartphone manufacturer in the United States. By developing a variation of this marketing technique specifically for Apple phones, Subway stands to reach a broader audience.

More and more companies are embracing mobile-scannable barcode technology, as barcodes can be placed on posters, product labels, or other media - allowing passersby to scan them with their phone to get to companies' websites. This can be especially useful when trying to participate in promotions, giveaways, or sweepstakes.

Heineken, the beer manufacturer, recently employed similar barcode technology in an ad campaign. Other companies, like the Pittsburgh Post-Gazette, Papa John's International Inc., are also hopping on the bandwagon, as mobile-scannable barcodes are proving adept at reaching consumers directly.

And there are benefits to this barcode technology for industries other than marketing. In the medical field, barcode technology is proving to reduce prescription and medication administration errors, making patient care safer. As pertains to education, Tele.ring, a VMNO with T-Mobile Austria (News - Alert), tapped into NeoMedia's 2D mobile barcode capabilities in order to introduce students to the concept of mobile barcode reading. Students had theopportunity to download the NeoReader for free and scan the QR codes that appeared on the posters, where they could access free mobile content such as ring tones and wallpapers.

Source Article

Erin Monda is a TMCnet Contributing Editor. To read more of her articles, please visit her columnist page.

Edited by Michael Dinan

Payment processing trends: What every operator should know

2010-06-04T18:01:02Z

While there are many trends in the credit and debit card industry, security is the trend that most restaurants should put at the top of their list. Security goes beyond locking the front door at closing time. Restaurant operators also must secure the sensitive information their customers provide when paying for their services.

Identity theft and credit card fraud are chief concerns for consumers and the credit card industry, and should have great significance to the restaurant operator. Card and identity thieves are becoming increasingly more capable.

In 2009, there was a considerable increase in businesses affected by security breaches in the hospitality and restaurant industry. In response to the growing threat, major credit card brands like Visa and MasterCard have continued to increase the scope and rigor of consumer protection standards.

The PCI DSS (Payment Card Industry Data Security Standard) has been implemented in phases, with various deadlines, to control the way card data is transmitted and stored. Credit card processors have a looming deadline of July 1, 2010, to ensure their customers operate in a PCI compliant manner.

The PCI DSS standard covers many aspects of storing and handling credit card data. The PCI PED (PIN Entry Devices) component is focused on the hardware used at the point of sale (POS) for capturing the 4-digit PIN number on a consumer's debit card. Restaurant owners must ensure that debit card accepting devices are PCI PED compliant, or they risk fines and fees from their processors and the card brands.

While the July 1 deadline is directed at the member organizations (banks), processors enabling the acceptance of these transactions are expected to ensure their customers comply with these standards. Many processors are mandating that their customers undergo a PCI audit to ensure compliance and are assessing fees for those customers that do not comply.

The goal of these fees is to encourage customer compliance, which will help reduce the risk to both the merchant and the processor. A PCI audit varies in cost, based on the price negotiated by the customer or processor, but is intended to identify security concerns, including devices, software, and processes, that may expose the merchant to the risk of data theft.

Rest of the story on Fast Casual

PepsiCo in Recycling Push

2010-04-22T17:01:50Z

Worried that most of its bottles and cans are going into the trash instead of the recycling bin, PepsiCo Inc. plans to place thousands of new recycling kiosks this year at concert venues, in grocery stores and along city sidewalks.

The Purchase, N.Y., beverage giant and partner Waste Management Inc. are in search of the green movement's elusive prey, the so-called unreachable bottle tossed away by people on the go.

The average recycling rate for nonalcoholic U.S. beverage containers is 34%, and only 25% for plastic bottles made of polyethylene terephthalate, better known as PET. Advocates say the most difficult bottle to recycle is the drink consumed on the go, as it's cumbersome to carry sticky bottles home to a bin.

PepsiCo and Waste Management want to recycle at least 400 million containers annually by putting as many as 3,000 kiosks in busy places this year, and offering incentives. "We have to get people to put up with a little inconvenience and say, 'I'll hang on to it a little bit and get a little bit of a reward," said Tim Carey, PepsiCo's sustainability director.

"There's got to be something in it for people, both through material rewards and emotional rewards," said Jeremy Cage, PepsiCo's "Dream Machine" project director.

In addition to unreachable bottles, the makers of the new machine also hope to attract what they see as unreachable consumers, who eschew recycling as a waste of time.

The Dream Machine is an attempt to be all things to all people. "Dark green" environmentalists can carry key fobs that track and reward their personal recycling efforts, and link them to a social network with regular news feeds. People who recycle at home but not on the go would get an incentive such as a chance to win a baseball cap. Those cool to environmental causes might be interested in the sponsors' promise of a per-bottle donation to the Entrepreneurship Bootcamp for Veterans, a business training program for disabled veterans.

Read rest of article at WSJ

Embracing the Self-Service Economy

2010-04-20T18:27:25Z

The past decade has witnessed a rapid growth in self service that allows consumers to take on the traditional role of a service worker in the provision of a service. Self service has long existed--think of placing a call by dialing a telephone instead of using a telephone operator or pressing a button in an elevator instead of using an elevator operator--but its importance has grown as advances in information technology (IT) have created many opportunities to leverage self-service technology for large gains in efficiency and convenience. Using computer kiosks, airline travelers check in to their flights; on the Internet, consumers purchase products without ever speaking to a sales agent; and, using a mobile phone, customers check their bank balances and transfer funds. Self-service technology continues to become more efficient and more convenient, and, as a result, increasingly organizations, including businesses, non-profits and governments, are using self-service technology to operate more productively and to better serve their customers.

Self-service technology has already transformed entire industries, from ATMs in banking to e-commerce in the travel industry, resulting in significant savings for businesses which are passed on to consumers in the form of lower prices and better service. However, even though self-service technology has generated a wide range of benefits and savings for consumers, businesses, and government, it is only the beginning. Over at least the next decade, self-service technology has the potential to be a major force for growth in productivity and improvements in quality of life. We estimate that if self-service technology were more widely deployed, the U.S. economy would be approximately $130 billion larger annually, the equivalent of an additional $1,100 in annual income for every household.

These savings could not be coming at a more crucial time. Most national economies will need the power of self-service technologies if they are to avoid serious economic problems stemming from significant growth in the number of retirees, a situation that will be particularly acute in Europe, Japan, and the United States. In the United States, for example, the number of retirees for every 1,000 working age adults is projected to grow from 213 today to 346 by 2030. For Social Security recipients in 2030 to not see a decline in their inflation-adjusted payments without workers seeing a decline in their after-tax incomes, economic productivity will have to increase by 62 percent. Unfortunately, the Social Security Administration estimates productivity will grow just 40 percent. As a result, in 2030, either worker incomes after Social Security taxes are deducted will be significantly lower, or Social Security benefits will be lower, or both. Self-service technologies promise to be a major source of needed productivity growth, enabling the United States, Japan, Europe, and other nations facing demographic challenges to realize such growth without reductions in wages or benefits.

But these benefits will not automatically occur unless the right policies are in place and the wrong ones are avoided. First, governments should avoid putting in place restrictions on self-service business models and processes. This means that policymakers must resist the efforts of special interest groups that press for restrictions in technology to protect their economic or social interests at the expense of the average citizen. Second, where appropriate, governments should proactively promote self-service delivery of government services. For example, governments should pass along to citizens the savings from using lower-cost self-service options. Governments should also help create a climate conducive to expansion of self-service technologies. This means that government should support the development and deployment of technologies that enable self-service, like broadband, electronic IDs, and mobile payment systems. In the United States in particular, Congress should increase the minimum wage thereby providing firms with more incentive to invest in self-service technology, while at the same time helping to boost the incomes of low income Americans. In addition, Congress should establish an academic Center of Excellence to develop best practices for accessible design for self-service technology. Finally, we recommend that policymakers establish stronger safety nets for workers adversely affected by technological change so that the workforce can more easily adapt to a rapidly changing economy.

Self-service technology offers a broad set of benefits to consumers and businesses and has the potential to contribute even more to our national prosperity and quality of life. While self-service technology is widespread, it is still relatively new and will only continue to improve in quality over time. However, policymakers must avoid enacting policies to restrict self-service while at the same time putting in place appropriate policies to stimulate the self-service economy to realize these benefits.

Source Link

PDF Download

Integrating Self-Service Kiosks in a Customer-service System

2010-04-14T22:19:14Z

Most hospitality companies have been implementing service channels with a goal of reducing costs, increasing customer satisfaction and loyalty, and reaching new customer segments. No matter how successful the self-service channel, companies rarely eliminate traditional personal service when they introduce a self-service channel. Instead, companies typically maintain a portfolio of service-delivery channels which allows guests to select the way they interact with the companies. Consequently, managers should consider the interaction among the channels within the portfolio, with particular attention to how they complement each other. Using a research technique called structural equation modeling, the study described here examined the financial and guest-satisfaction results of integrating a self-service kiosk in two brands operated by an international hotel company. Based on data from the company, this study indicates that when certain routine tasks (e.g., checking in and issuing room keys) were handled in kiosks, hotels did see increases in average daily rate. However, when something went wrong with the self-service check-in, the hotels in question saw a reduction in guests' willingness to return. Oddly, the addition of the check-in kiosks did not increase guests' perceptions of service speed at check-in. One possible explanation is that guests used the check-in time to consult with services representatives regarding the destination or other topics, and front-desk associates took the opportunity to make upselling and cross-selling offers.

Vol 10 No 6
By: Tsz-Wai Lui Ph.D. and Gabriele Piccoli Ph.D.

Source link

cornell-hotel-2010.pdf

Integrating Self-Service Kiosks in a Customer-service System

2010-04-14T22:19:14Z

Executive Summary:

Most hospitality companies have been implementing self-service channels with a goal of reducing costs, increasing customer satisfaction and loyalty, and reaching new customer segments. No matter how successful the self-service channel, companies rarely eliminate traditional personal service when they introduce a self-service channel. Instead, companies typically maintain a portfolio of service-delivery channels which allows guests to select the way they interact with the companies. Consequently, managers should consider the interaction among the channels within the portfolio, with particular attention to how they complement each other. Using a research technique called structural equation modeling, the study described here examined the financial and guest-satisfaction results of integrating a self-service kiosk in two brands operated by an international hotel company. Based on data from the company, this study indicates that when certain routine tasks (e.g., checking in and issuing room keys) were handled in kiosks, hotels did see increases in average daily rate. However, when something went wrong with the self-service check-in, the hotels in question saw a reduction in guests' willingness to return. Oddly, the addition of the check-in kiosks did not increase guests' perceptions of service speed at check-in. One possible explanation is that guests used the check-in time to consult with services representatives regarding the destination or other topics, and front-desk associates took the opportunity to make upselling and cross-selling offers.

Vol 10 No 6
By: Tsz-Wai Lui Ph.D. and Gabriele Piccoli Ph.D.

Source link

cornell-hotel-2010.pdf

Integrating Self-Service Kiosks in a Customer-service System

2010-04-14T22:19:14Z

Vol 10 No 6
By: Tsz-Wai Lui Ph.D. and Gabriele Piccoli Ph.D.

Executive Summary:

Source link

cornell-hotel-2010.pdf

Wireless - Dawn of a brave new world for 4G

2010-04-09T20:34:25Z

Natasha Royer Coons managing director, TeraNova
• 09 Apr 2010

Over the past five years, the evolution of wireless networks to 3G data speeds, alongside increasingly sophisticated yet cost-effective cellular routers and antennas, has allowed many kiosk and digital signage deployers to have either successfully deployed stable networks using cellular technologies or at least seriously consider it as a viable alternative to landline options.

Now that 4G is available via Sprint and Clearwire, what does that mean for kiosk and digital signage deployers interested in deploying a cellular network?

4G is especially compelling for those deployers with bandwidth-intense applications, such as content streaming or video. Consider that with more bandwidth, applications such as a live video call from the kiosk to a customer service agent to enhance the user experience are very possible and can be delivered with great quality.

First, though, let me offer a word of caution: I believe we are experiencing the dawn of a new world for cellular networks, meaning this is just the beginning. For self-service it's promising, it's real and it will allow for the support of applications that we could only dream of before. But in order to adopt 4G completely for the purposes of an un-manned, machine-to-machine, mission critical network, many factors need to be considered and vetted out before rolling full force ahead.

Now, let's first take a look at the technology itself and what is available today in the United States.

What is 4G?

4G refers to the fourth generation of cellular wireless standards and is the successor to 3G and 2G standards. In the same manner that data-transmission speeds increased from 2G to 3G and allowed for the adoption of new applications utilizing cellular networks, the leap from 3G to 4G again promises higher data rates and lower latencies that could realistically support applications such as real-time streaming of multimedia voice, data and video.

The 4G spectrum services available through Clearwire and Sprint are based on a technology known as WiMAX (Worldwide Interoperability for Microwave Access). WiMAX is an international standard developed expressly for sending high-speed data signals to mobile users that blends the speeds of Wi-Fi with the portability of cellular. It broadcasts on the 2.5-GHz portion of the radio frequency spectrum and has a longer range. In the real world (not the lab), speed depends on variables such as how many subscribers are using the network at the same time, how far you are from a transmitting tower and how congested is the Internet. However, a realistic expectation can be up to 3 Megs or 5 Megs per second download, which to a user will feel more like a high-speed DSL or cable type of experience.

What markets are available to deployers today?
Read rest of the article at Kioskmarketplace.com

Everybody Wants it for Free Syndrome

2010-04-08T20:29:16Z

From SSKA Blog -- Twice a year there is a nice study on "Top Ten Mistakes of Kiosk Deployment" and usually one of the top ones is the principle that the number of problems you end up having are usually inversely related to the money you spend. You buy cheap, you get cheap as a rule.

The usual threat there is "well, we can buy it from China for this much...". You can buy something from China but it won't be the same, and it'll take 12 weeks and won't accept modifications. Probably you can forget about the Buy American ARRA incentives working here (I hope). Buying kiosks made in America narrows your choices to one hand.

Worst than all that is prospects/customers that are not trying the tactic of asking kiosk companies to fund the project and pay all the upfront costs. It's called investing in the project (not unlike people with brainstorm ideas looking for "strategic partners").

They''ll let us write the software for free, let us build the kiosks for free, do the site surveys and installations and get it all in (on our dime) and then they'll decide if they want to move forward, and if so, whether or not they move forward with us (ie a company).

The good companies are too busy, too smart to participate in something like that. I've seen it over and over where the expectation is the best possible product and the budget is zero. And always the same result. Sometimes due to lack of response the RFP gets re-issued, most of the time they were just taking a shot (and not a very good one).

Am I missing something here?

(...and insiders would say the part missing is the other half of deal which is we want it right now too...)

Ariane Systems group to develop mobile self-service platform for the hospitality industry

2010-03-23T14:03:02Z

PARIS, France, 19^th March 2010 - Ariane Systems VIKI project selected in Aug-2009 and partially financed by the ERDF (European Regional Development Fund) got started.

By removing all hardware associated with the check-in and check-out processes, VIKI will revolutionize the hospitality industry by enabling customers to check-in/check-out where and when they want using their desktop, their laptop, their smartphone and even their cell phone.

« Often a source of frustration for business guests, the check-in/check-out procedures have not changed in 15 years. Guests still need to go to the front desk, stand in line and wait for their turn" explains Laurent Cardot, Managing Director and co-founder of Ariane Systems.

« For 10 years, Ariane Systems has been deploying self-service check-in/check-out kiosks in the lobby areas. VIKI anticipates the needs of our clients who are at the cutting edge of technology and want to offer to their guests, for example, the ability to check-in online from their computer before arriving at their hotel, or perform their check-out from their cell phone, comfortably sitting in the taxi that is already driving them to the airport" continues Laurent Cardot.

The features that this software platform will be able to offer are countless as it will integrate online mobile payment solutions and will enable the user to modify their bill, address or even client profile.

For VIKI, Ariane Systems partnered with LIP6 (a research center specialized in the realm of telecommunications and information technology), Lemon Way (a company specializing in mobile applications and leader in mobile banking technologies), as well as Hotel Performance (a major hospitality group) that will contribute their hotel know-how.

« With our mobile platforms, the security layers brought by LIP6 and the unique feature application of Ariane Systems, we will offer early 2011 a solution which will be able to adapt to most of today's existing hotel technical environments" confirms Sebastien Burlet, founder of Lemon Way.

Frequent travelers' dream to go directly to their hotel room after receiving a SMS that features their room number and software room key card is not so far...

About Ariane Systems

Ariane Systems is the worldwide leading provider of self-check-in / check-out technology solutions for the hospitality industry. Founded in 1998 by Michel Lavandier and Laurent Cardot, Ariane has deployed over 1,500 kiosks installed at hotel properties in 15 countries. Currently, numerous hotel chains utilize Ariane's self-service solutions to streamline their check-in / out process, including Pullman, Radisson, Golden Tulip, Holiday Inn, Campanile, B&B, Ibis and Novotel, among others.

Based in Paris-France, Ariane Systems operates subsidiaries in the UK, Germany, Spain, Scandinavia, Middle-East and now North America.

For more information, please visit www.ariane-systems.com.

Flaws in chip and pin bank card security identified

2010-02-12T20:01:31Z

Scientists have identified security flaws in chip and pin technology that they say are so serious as to require a rethink of the whole system.

The Cambridge University researchers discovered a loophole that could be used to make bank card payments without knowing the correct pin.

Link for Video

Self-service trends in 2010

2010-01-06T17:57:11Z

Craig Keefner
• 05 Jan 2010

By the end of 2009, there were almost 30,000 DVD-vending kiosks deployed, with more on the way. This application likely has surpassed the photo kiosk as the second-most visible symbol of self-service working, next to grocery self-checkout. Anticipating the next such "big thing" keeps all of us in the kiosk industry busy following the tweets and news in the hope of catching the next wave.

Here is a roundup of 2010's potential suspects, from my point of view, divided into three market groups -- maturing, growth and new drivers.

Maturing market

Vending and reverse vending -- These are apps where customers put money in to get a product, with the DVD kiosk being a prime example. Reverse vending is where products/goods are deposited into a machine and money/credit is given to the customer. The ecoATM self-service e-cycling kiosks would be an example of this, and the TITO ticket and token redemption machines in Las Vegas are good examples as well.

Complete Article

Radiant Being Sued by Restaurants for violating PCI Compliance

2009-12-03T14:58:37Z

Radiant being sued not over it's Aloha system which is PCI-validated but over the use of PC Anywhere.

Restaurants Sue Vendor for Unsecured Card Processor

By Kim Zetter
November 30, 2009 |
11:44 pm |
Categories: Breaches, The Courts

Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.

The restaurants, located in Louisiana and Mississippi, filed a class-action suitagainst Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.

The suit alleges that the system stored all the data embedded on the bank card magnetic stripe after the transaction was completed -- a violation of industry security standards that made it a high-risk target for hackers.

Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant'sAloha POS system.

According to plaintiffs, Computer World's technicians allegedly installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. The only problem is, the company failed to secure the program. The suit alleges that the system was not up to date with software patches, and the PCAnywhere remote log-in and password that technicians used to access the POS systems was the same at every one of the 200 Louisiana locations where the system was installed. According to one of the plaintiffs who spoke with Threat Level, the default login was "administrator" and the password was "computer."

As a result, a hacker, believed to be based in Romania, accessed the systems of at least 19 businesses through the PCAnywhere software, and possibly others plaintiffs say. Once inside, the hacker installed malware to grab card data as it was swiped and send it to an e-mail address in Romania. The hack follows a wave of similar attacks that targeted point-of-sale systems at other national retailers and restaurant chains between 2005 and early 2009, including Dave & Busters restaurants, Hannaford Brothers, TJX, Wal-Mart and others.

The suit was filed in March in the U.S. District Court in Louisiana, but the court ruled only last week that the seven plaintiffs could proceed as a group with their case, opening the way for additional plaintiffs to join the litigation.

"We want other restaurants nationally to be aware of the hidden dangers posed by these technology companies and the unfair penalties imposed by the credit card companies," said plaintiffs attorney Shiel Gallagher in a press release. "These huge companies shouldn't have the power to destroy these restaurants."

The plaintiffs include Crawfish Town USA, Don's Seafood & Steak House, Jone's Creek Cafe, Mel's Diner, Picante's Mexican Restaurant, Sammy's Grill and a Best Western. Two other restaurants have also sued Radiant Systems and Computer World separately.

The restaurants are seeking millions in damages to recover their costs from the breach. These include fines levied against them from Visa and other credit card companies for failing to be PCI-compliant, the cost of forensic audits to uncover the source of the breach, chargebacks to cover fraudulent charges made on customer accounts and reimbursements to card providers who had to issue new customer cards.

According to the plaintiffs' court filing (.pdf), Radiant and Computer World were allegedly warned by Visa in April 2007 that the Aloha system, along with POS systems made by five other vendors, were non-compliant because they stored card data. Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

PCI compliance involves 12 requirements that include: installing and maintaining a firewall, changing default vendor passwords, encryption of transaction data while it's being processed and updated security patches and anti-virus definitions, among other things. Businesses that accept bank card payments from customers are contractually required by the payment card industry to have PCI-compliant architectures and to use only products that are PCI-compliant.

Charles Hoff, general counsel for the Georgia Restaurant Association and one of the plaintiffs' attorneys, says these kinds of security disputes are becoming more common but rarely garner public attention because vendors tend to settle rather than risk exposure through a court case. He said this suit was filed only after Radiant refused to take responsibility for the breaches.

"Radiant ... took a very arrogant attitude about it," he told Threat Level. "I've had other POS vendors who felt they should be accountable, and the end result was that they knew they needed to do the right thing. Radiant I don't think thought we were serious. Radiant's website gives customers the greatest assurance that when it comes to their resellers, they monitor and make sure they're scrutinized and compliant. It really would give you all the confidence in the world if it was actually done."

Radiant has declined to comment on the details of the suit.

"What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry," Paul Langenbahn, president of Radiant's hospitality division, told the Atlanta Journal Constitution. "We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves."

Keith Bond, owner of Mel's Diner in Broussard, Louisiana, told Threat Level that he purchased his Aloha system for $20,000 and installed it around late November 2007. Computer World, he says, convinced him that the system needed to be connected to the internet for faster transaction processing, as opposed to the dial-up modem connection he had been using for processing.

In April 2008, just a few months after installing the system, one of his employees called to tell him that the mouse cursor on one of three Aloha terminals he'd bought seemed to be moving on its own and that employees were unable to take control of it.

After contacting Computer World technicians, the restaurant was told to disconnect its system from the internet. A service tech appeared the next day to replace the hard drive, but didn't disclose the nature of the problem or indicate that an intruder had breached the system. Bond learned only later that a keystroke logger had been installed on all three of his Aloha terminals, and that the intruder had been siphoning card numbers for about three weeks.

He discovered this only after Visa and Mastercard contacted him in May to tell him his system had been breached. Bond, whose 24-hour diner processes about 60 to 70 card transactions a day, says 669 card numbers were stolen during the three-week period the hacker was in his system.

"If they had accessed the server, they would have got thousands of card numbers," Bond said.

The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.

Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.

Bond said Radiant and Computer World were unresponsive.

"Radiant just basically hung us out to dry," he says. "It's quite obvious to me that they're at fault.... When you buy a system for $20,000, you feel like you're getting a state-of-the-art sytem. Then three to four months after I bought the system, I'm hacked into."

Image courtesy California State Controller's Office

Recommended Commentary Link

Lessons Learned From PCI Compliance

2009-11-26T15:45:20Z

Assessors reveal mistakes companies make with data security standard. -- To help companies get ready for a an evaluation, we asked QSAs to describe common problems they encounter when working with IT groups on PCI compliance. What follows are five best practices to help companies better prepare for an assessment and maintain compliance.

1. Know Where Data Lives
First off, you must know how credit card data flows through your system, where the data resides in the enterprise, and who has access to it. Assessors ask for this information at the outset of an assessment because it determines the scope of the project. They aren't there to review your entire security infrastructure, just the systems that collect, process, transport, and store credit card data. A surprising number of companies don't have a good grasp of this information. "It's common for a client to completely miss a particular data flow and have no idea that credit card data is being forked off to system X, Y, or Z," says a QSA at Neohapsis, who asked to remain anonymous.
Companies express an "extreme amount of frustration" over the amount of effort they have to put in to put the full picture together, says Ted Keniston, a QSA and managing consultant with the global compliances group at Trustwave. "We should be validating this information, not determining it."
Having a complete picture of credit card data isn't just a courtesy to your assessor; it also affects your ability to protect customer information, because you can't secure what you don't know about.
2. PCI Is A Moving Target
Let's say your assessor has just stamped you "compliant." You breathe a sigh of relief. The PCI assessment is annual, so you don't have to worry about it for another 12 months, right? Not so.
PCI compliance is only valid and only applies to the state of the network and systems at the time of the assessment. The moment you make changes to systems that fall under the

Rest of article and pdf of entire article

Source link

inside-pci-compliance_884972.pdf