Larry Williams, owner of the Pizza Garden in Lompoc, cuts a pizza for the restaurant’s buffet dinner Monday. The restaurant was a victim of a hacking scam that has since caused a loss of business.


It’s not just the time and effort he’s expended, the money lost and the hassle of it all that bothers business owner Larry Williams.

It’s that his standing in the community of Lompoc has been damaged.

Williams’ troubles started a few weeks ago when unauthorized charges began showing up on payment cards belonging to his customers at the Pizza Garden restaurant on North H Street. Williams said he knows it couldn’t be any of his employees making those charges. And he knows he didn’t do any.

Besides, the statements he saw looked like the unauthorized charges were in Russian characters.

Lompoc police came down and took away a hard drive from his electronic POS (point of sale) system to study.

“We’re still in the process of analyzing the hard drive. We don’t think it’s an internal issue, but we haven’t ruled that out yet,” Sgt. Lane Middleton said recently.

If things turn out the way Williams said he thinks they will, his business and employees will be exonerated and malicious software (malware) will be found in his electronic pizza-ordering system.

Middleton said the LPD hasn’t found any malware yet, but he said it’s a long, difficult process involving a computer expert.

If malware is found, it wouldn’t be the first time computer hackers have broken into such a system. Cases across the country have been reported.

One was at Mountain Mike’s Pizza in Martell, Calif., near Sacramento. The Amador County Sheriff’s Office said they received more than 70 complaints against Mountain Mike’s last summer for unauthorized payment card charges.

Investigation in that case revealed that hackers had gained access to the same kind of Internet-connected POS system that Pizza Garden uses and captured payment card data from it. They then used the data to create forged payment cards and used them to make purchases ranging from $40 to more than $1,000 in a variety of places worldwide, including England, Australia, France and Iceland.

Williams said he believes someone gained access to his online system and did the same thing.

As word has gotten around town that some of Pizza Garden’s customers have had their payment card information compromised, a number of them have stopped eating there, said Williams. It has caused a huge drop in business for the 54-year-old businessman.

“This is a big blow,” he said, projecting his loss at about $10,000.

But it’s his reputation that he really values.

“We have an impeccable relationship with the community. We’ve always run our business with a lot of integrity,” he said.

Williams said he has many friends all over town, having owned the restaurant since the 1980s. It hurts him that anyone might think that his business is making fraudulent payment card charges, he said.

Financial institutions are vigilant in finding unauthorized charges on their customers’ accounts. According to CoastHills Federal Credit Union President and CEO Jeff York, when charges to different CoastHills payment cards started coming in from Vietnam they launched an investigation.

The credit union found that the payment card users had one thing in common — they had all used their cards at Pizza Garden.

CoastHills immediately started replacing the payment cards of the 600 members that had used their cards at the restaurant since November. And they sent a letter out to those members asking them to stop using their cards at the Pizza Garden, and pay with cash instead.

The letter opened with, “We have detected a correlation between fraudulent debit card activity and one specific food establishment in Lompoc — Pizza Garden Restaurant.”

Williams said he thinks some of his customers interpreted that to mean that Pizza Garden, or someone working there, was placing the unauthorized charges on patrons’ cards.

York said that was not the intent of the letter.

“We want to protect our members,” he explained.

But as a result, many customers who rely on payment cards instead of cash (York said that CoastHills has 40 percent of the local payment card market) apparently have simply decided to eat elsewhere, possibly because it’s just more convenient than hitting the ATM first for some cash.

The payment card users did not pay any of the fraudulent charges, but Williams said the problems apparently enough to chase away some of his customers.

“It used to be a zoo in here at lunchtime. Now it’s practically a ghost town,” he said.

In order to combat the growing problem of payment card data theft, card issuers such as Visa and MasterCard formed an independent body in 2006 called the Payment Card Industry Security Standards Council. The organization came up with a set of regulations for merchant customers who capture and/or store electronic information such as payment card numbers. They are now being required to protect the data and keep it safe from hackers. Conforming to the regulations is called being PCI compliant.

PCI compliance means that businesses such as Williams’, called Level 4 merchants, must pass a vulnerability scan by a PCI-approved scanning vendor. They must do this annually. Another requirement is that they acquire and maintain a secure Internet connection between their web browser and the web server. And there are more.

Williams’ business has not yet caught up with the PCI regulations, which at this point are between him and the merchant banks and not a law. Williams says it will probably become a law soon, with policing to follow.

But he’s not waiting. He’s looking into becoming PCI compliant right away. And he says he’s going to become an advocate of PCI standards and will spend time helping other Lompoc businesses become PCI compliant as well.

Williams said he would love to see all his customers come back to Pizza Garden. He’s anxious to regain his reputation in Lompoc.

And he knows how to satisfy them.

“If you give people a fair value for their money,” he says, “they’ll keep coming back.”

All payment card users are advised to monitor their statements and report any unauthorized charges to their bank immediately. If thieves have your number and have used it once, they may strike again. Financial institutions are ready to issue you a new card with a different number to thwart the thieves.

Read more:


Wednesday, June 20, 2012

« Back