Food for Theft

Posted June 29, 2015

Restaurants and Hotels Find Apps for Mobile Payments, Loyalty Programs and Gift Cards Creating New Openings for Cybercrime

The hospitality industry is known for…well…being hospitable, making the customer experience at a restaurant or hotel fun, easy, enjoyable and reasonable. However, making things as welcoming as possible for patrons can also make them very welcoming to cybercriminals.

In her article on, Tammy Mastroberte interviews experts about areas that could pose threats to the hospitality industry and gets their feedback on possible precautions that should be taken to avoid fraud.

Mobile payment like Apple Pay

“Apple Pay is formidable, but it still sits on a loose foundation,” Richard Crone, chief executive of payments advisory firm Crone Consulting told the Wall Street Journal when news broke [that cybercriminals had entered stolen credit card data into their iPhones to get around Apple Pay’s security features.]

“We just started using Apple Pay, and are going to be opening up next month for other mobile payments,” said Brett Doherty, COO of Killer Shrimp with four locations in California, and principal at SBD Consulting LLC, dba The Hospitality Collective with 15 other hotels and restaurants. “The question is what will be the cause and effect on credit partners and how the POS will adapt.”


Just as with a traditional transactions, merchants can be hit by would-be thieves using stolen information. For example, someone could chargeback a bill asserting they were never at the restaurant and file a claim with the credit card company, Doherty explains.

“If a restaurant doesn’t have the card swipe showing it was physically in their presence, they could be charged,” he notes. “We get around 3,000 to 4,000 chargebacks each year, and we are waiting to see how the rules are going to change from the view of credit card companies, and how they will hold restaurants responsible for not having the physical credit card in their hand.” Doherty has queries into credit card processors regarding how they will handle these issues, to help restaurant operators put proper procedures in place.

Wait and see

Other operators are still waiting to see what shakes out with mobile payment, both on the consumer demand side and the security side. At Mellow Mushroom based in Atlanta, Ga. and operating 180 locations in 20 states, they are taking the wait-and-see approach, and have not had many customers asking for mobile payment yet.

Let somebody else go first

“A lot of people are intellectually curious about it, but nobody wants to jump in the water,” says Annica Kreider, vice president of brand development at Mellow Mushroom. “We have not had a groundswell of demand for it, but we like to be innovative, so it’s on the radar for us. It’s also the next biggest loss prevention concern, which is why we have not seen widespread adoption yet. Nobody wants to be the new guy, and then have a data breach.”

Mobile loyalty: monitoring rewards to prevent loss

Many industries, including hospitality and retail, are taking their loyalty programs into the mobile arena, but again, this opens up new avenues for customer fraud. The key is to make sure technology is in place to limit fraud at both the mobile app and the POS.

“Those are things you have to put a lot of thought into on the front end,” says Kreider, who launched a mobile loyalty app pilot six months ago using the NCR loyalty platform, Karmma, which is now running in 20 stores with plans for a full company rollout. “Rewards can be redeemed in real-time, and it does an automatic check reduction, but with this you have to build in a lot of loss prevention up front.”

Using a coupon more than once? Unthinkable…however some did think of it

The point of sale is increasingly being tasked to perform a multitude of functions and one of those is detecting instances when a customer might try to use a mobile coupon more than once or redeem a loyalty reward they already used. Preventing profit loss through rewards fraud requires that POS systems are integrated with mobile apps and loyalty programs.

Planning for your reward

The planning for Karmma at the Mellow Mushroom included making sure a reward can only be redeemed one time in the system, and the guest or app holder can only scan two receipts per day to add to their loyalty points. This ensures a customer won’t give the app to friends to scan and add to their total, Kreider reveals. The app connects with the POS, and a consumer can redeem a reward from their phone. When they order the item and the check comes, they can scan the receipt and it will tell them what the new order total is with the reward applied. It also flags the POS system to let the server know a reward was redeemed.

We “double-deem” you

“Once they do the redemption, we have it set up that they can’t double redeem, and it’s all done through the cloud in real-time,” explains Kreider. Another safeguard built into the system addresses large catering orders with a high dollar amount. Rather than giving access to all the reward thresholds the amount might cover, it goes in as only one transaction, and the customer will only get the next reward threshold available.

Point of sale. Go configure

Both internal and external fraud can be monitored and deterred by proactive planning and systems set-up. “Aside from hiring the right people, which is really number one for internal theft, the POS being configured properly is the most important,” says Chris DeSaye, director of IT for Hillstone Restaurant Group in Beverly Hills, and operating 52 restaurants. “Things like making sure you check the box that says you won’t allow employees to do transfers are important. It’s up to the restaurant owner to figure out how to configure the system up front and what controls they want in place.”

Deterring inventory loss, employee theft

Hillstone has also implemented a surveillance system from DTT to combat employee theft, but DeSaye says it’s used more as a deterrent than for catching someone. It can also work in conjunction with inventory systems to prevent or discover loss of inventory.

For its POS, Killer Shrimp relies on Digital Dining to aid in loss prevention. “Firewalls and other safeguards deter fraud and theft, but our POS system includes better audit functions for reconciliation opportunities,” says Doherty.



close btn