Restaurants have long been one of the favourite targets of point-of-sale malware — not because hackers hate hospitality, but because it's easy.
Chains like Chipotle, Sonic Drive-In and Checkers & Rally's have all been hit by malware on their POS systems in recent years, sometimes undetected for months, with millions of stolen card numbers as a result. According to Verizon's most recent Data Breach Investigations Report, a third party — a vendor, POS provider or software partner — is now involved in 30% of all data breaches, nearly double the share from a year earlier. And in 22% of cases, a stolen or weak password was the opening move. You don't need to be a national chain to become a target: most attacks are automated, or run through a single vulnerable vendor serving dozens of restaurants at once. This article gives you 9 practical, largely free or cheap steps to secure your restaurant:
- Separate your guest Wi-Fi — never on the same network as your till.
- Lock down your POS system — install updates, and distrust any unannounced "technician".
- Choose a PCI-DSS-compliant payment provider — and never store card data yourself.
- Use strong passwords and two-factor authentication — everywhere, not just on the till.
- Spot phishing and invoice fraud — the most underrated cost in hospitality.
- Restrict access by role — and revoke it the moment someone leaves.
- Vet your vendors — their weakness becomes your breach.
- Back up your data and test your recovery plan — before the moment your till goes down.
- Know your reporting duty — GDPR gives you 72 hours, not a day more.
Why hospitality is such an attractive target
A restaurant processes dozens to hundreds of card transactions every day, stores reservation data and guest contact details, and often runs on ageing or poorly maintained POS hardware that keeps humming along unchanged for years. Add high staff turnover and limited IT knowledge, and you have exactly the profile attackers look for: plenty of valuable data, little resistance. Unlike a targeted attack on a major bank, most POS malware is opportunistic — it scans automatically for vulnerable systems, regardless of whether your venue has twelve tables or a hundred and twenty.
The good news: most of the measures below cost no money at all, just ten minutes of attention. Cybersecurity in hospitality is rarely about hiring an expensive IT firm — it's mostly about closing the obvious gaps.
9 steps to a cyber-secure restaurant
1. Separate your guest Wi-Fi from your POS network
The most common — and most underestimated — mistake is running everything through a single router: the till, the office PC with the accounts, and the Wi-Fi you hand out to guests for free. The moment a guest (or someone who was given a guest's password) is on that network, in the worst case they can watch traffic heading to your POS system.
- Create two separate networks: one for guests, one for the till and back office, each with its own password. Most mid-range routers support this via a "guest SSID" or VLAN, often with a single setting.
- Change the guest password regularly, monthly for instance, so an old, widely shared password doesn't keep circulating.
- Put your QR ordering system on the guest network, never on the till's network — even if that seems more convenient.
This single change — two networks instead of one — closes off the most common route by which an infected guest device could ever reach your till.
2. Lock down your POS system itself
When choosing a POS system, you normally focus on integrations and transaction fees — but how well it's secured, and stays secured, matters at least as much. A few practical rules:
- Install software updates for your till as soon as they're available; outdated POS software is the easiest target there is.
- Use the till PC exclusively for the till — not for quick browsing, checking email, or playing music.
- Distrust any unexpected "technician". The Brazilian hacking group Prilex became infamous worldwide for POS malware that can even clone chip-and-PIN transactions — the infection typically starts with a phone call from a supposed technician insisting the POS software needs "updating" and asking you to install remote-access software like AnyDesk. If in doubt, always call back the official number of your own vendor, never the number the caller gives you.
3. Choose a PCI-DSS-compliant payment provider
Every party that processes card payments must comply with PCI-DSS, the card networks' security standard. The practical implication for you: never let card data pass through or sit on your own systems if it doesn't have to.
- Choose a payment terminal or provider that tokenises card data — your till then never sees the real card number, only a worthless substitute code.
- Never store card numbers yourself in spreadsheets, emails or notes "just in case".
- If you're not PCI-DSS compliant and a breach happens anyway, you can be held liable for fraudulent transactions — the cost of non-compliance is almost always higher than the cost of a compliant provider.
The numbers that make the difference
Why speed and basic hygiene matter more than an expensive security contract.
4. Strong passwords and two-factor authentication, everywhere
One shared, years-old password ("till1234") that every employee has ever been given is arguably the biggest invisible risk in hospitality. By the time you realise it, ten former staff members still know it.
- Turn on two-factor authentication wherever possible: on your POS account, your reservation system, your Google Business Profile, and your business email. It's usually free and costs one extra click at login.
- Give every staff member their own login instead of one shared account — that way you also know who did what if something goes wrong.
- Use a password manager for business accounts instead of reusing the same password everywhere.
5. Spot phishing and invoice fraud
Most breaches don't start with sophisticated code, but with an email or phone call that abuses trust. Make this explicit in your staff training:
- Invoice fraud: a "supplier" emails saying their bank account number has changed. Always confirm any change to payment details by phone, using a number you already had on file — never the number in the email.
- CEO fraud: an urgent email "from the owner" asking someone to buy gift cards or make a quick transfer. Agree within your team that such requests are always confirmed verbally.
- Fake emails from "your POS vendor" or "Google" asking you to log in via a link. If in doubt, always go directly to the official website instead of clicking the link.
6. Restrict access by role — and revoke it immediately
Not every employee needs admin rights on your till, booking system or social media. Work with roles: a server can take orders but doesn't need to export reports or change settings.
- Give full admin rights only to the owner and a limited number of managers.
- Revoke access immediately the moment someone leaves — this is the most forgotten step on this entire list, and one of the riskiest. Build it into your offboarding checklist alongside the rest of your staff management admin.
- Review at least twice a year who still has access to what, and remove anything no longer needed.
7. Vet your vendors: their weakness becomes your breach
Your POS system, online ordering platform and automation tools often run on software from an outside party. If that party gets hacked, you're the one losing sleep. Since October 2024, the EU's NIS2 directive has raised the security bar for medium and large companies across many sectors — individual restaurants mostly fall outside it (the threshold is 50 employees or 10 million euros in turnover), but your POS, booking and payment vendor is often squarely inside it. So ask every new vendor:
- Are you NIS2 or ISO 27001 compliant, or can you at least demonstrate how customer data is protected?
- How quickly are customers notified if there's an incident on your end?
- Where and for how long is our data stored, and who has access to it?
This ties directly into how critically you should already be looking at how you handle customer data under GDPR: your responsibility for your guests' data doesn't end with the vendor who technically stores it.
8. Back up your data and test your recovery plan
Ransomware rarely makes headlines in hospitality the way it does for hospitals, but the impact is just as disruptive: a till that goes down on a busy Friday night means instant lost revenue and frustrated guests at the door.
- Back up reservation data, customer records and configuration regularly — automatically, not manually "whenever you remember".
- Keep at least one backup separate from your main network, so that ransomware encrypting your systems doesn't take your backup down with it.
- Test at least once a year whether you can actually restore a backup — a backup you've never restored is an assumption, not a guarantee.
9. Know your reporting duty and consider insurance
If you process personal data belonging to guests or staff — and virtually every restaurant does, from reservations to personnel files — GDPR applies in full, regardless of your size. In the event of a serious data breach:
- You must report it to the data protection authority within 72 hours of discovery.
- You must notify affected guests or staff if the risk to them is high.
- Fines can reach up to 4% of worldwide annual turnover — in practice small hospitality businesses tend to face far milder outcomes, but the reporting duty itself applies without exception.
An affordable cyber insurance policy often covers not just the direct damage, but also forensic investigation and legal support after an incident — ask about it with the same insurer who handles your other policies. Also document, on a single sheet of paper, exactly who to call (vendor, insurer, IT support if you have one) the moment something goes wrong: in the middle of the night is not when you want to be hunting for a phone number.
Common mistakes that undermine cybersecurity
- Running the till, office and guest Wi-Fi on exactly the same network.
- Using one shared password that never changes, not even after staff turnover.
- Giving an unannounced "technician" remote access to the till without question.
- Writing down or keeping guests' card details manually "just in case".
- Only revoking a former employee's access once it happens to come up.
- Never testing whether a backup can actually be restored.
Conclusion: security as basic hygiene, not a luxury
Cybersecurity in hospitality rarely calls for a big investment. It's a set of small, structural habits: a separate guest network, two-factor authentication, a critical eye for every unexpected phone call, and access you revoke the moment someone leaves. Start this week with the free steps — separating your networks, turning on two-factor authentication, briefing your team on phishing — and schedule the rest into your next vendor conversation.
The cost of those few hours of attention is peanuts compared to what a data breach costs in reputation, fines, and the trust of guests who simply expected their data to be safe with you.