6 minute read
Master Chart: Programs, defined by former, current & future state
Master Chart
PROGRAMS, DEFINED BY FORMER, CURRENT & FUTURE STATE
PROGRAM FORMER STATE
SUPPORT (CONT’D) CURRENT STATE
DATA
Singular data sources and repositories with singular purposes. Heavily silo’d in disparate platforms with little correlation. Value not yet realized. Data analysis and correlation begins to create large data databases and repositories.
EMPLOYEE DATA Physical data stored on-site.
CUSTOMER DATA
Little effort to capture customer data outside of cc data and mag stripe. Email capture for marketing efforts is common, physical address for snail mail has reduced but still in biz models. Customer buying habits and mobile device connections are ramping.
BRAND DATA
Little visibility by brand into franchisee health, employee mgt, and performance.
Data driven programs are starting to be implemented by brands in order to review and support their franchisees. Brand marketing programs are built and optimized per data driven by franchisees.
THIRD-PARTY DATA Siloed independent collection
ENDPOINT SECURITY
Cost driven point products. Endpoint Security - AV and standard EPP platforms. The lowest common denominator of security capabilities, if not the only security capabilities at many companies. Consolidated & centralized security functions. Legacy SIEM, AV moves to EPP + EDR platform. Automation becomes one of the few ways to combat a lack of resources and immediate responses. SMBs still implementing cost driven security products rather than capabilities focused decisions.
Mix of physical and digital storage. Employee on-boarding/training not fully digitized.
Data collection is ubiquitous, but is not being harnessed effectively. It is also a regulatory minefield to collect data unnecessarily as well as an additional, significant risk.
REMOTE CONNECTIVITY
Physical Access, Remote Desktop, 3rd party Remote Access Software (RAS), VPN. POS and non-POS services co-mingle on a single system. Secure adaptive VPN connectivity with robust logging and auditing capabilities. Direct application access removes many requirements to interact directly with the store.
Privacy and cybersecurity regulations (like CCPA/CPRA) make data management high risk, high value, and complicated to execute while maintaining compliance requirements. Complications with consumers’ right to be “forgotten” and practices such as data mapping and privacy may impact assessments.
Digital on-boarding and training programs. Cloud partnership for data storage.
Several customer loyalty applications in play as well as WiFi analytics dashboard and reporting. KPI driven-business operations with a SaaS model
Lots of new options available, but not well understood business case for adoption (yet). Adoption in the US is accelerating rapidly (WeChat in China, etc).
Amazon style one stop shopping
Endpoint monitoring, brand data traffic flow and data dumps to corp brand team. Movement from license based models to more SAAS based with open API’s
Privacy professional feedback Data privacy laws updated as well as consumer protection. Industry driven decisions on data ownership.
AI-driven security / Augmented / Automated. SOAR, XDR and MDR, ML/ UEBA/NBA technology integrations. Integrated partnerships between end point security solutions and point of sale.
API driven operations become standard practice with less direct user access needed on in-store POS devices. Move away from comingled software environments where multiple functions reside on a single compute resource. Restaurants must mature the mindset of remote security, and API standardization and integration must become open and audited to be successful. This will be different for system to system communications (SD-WAN style remote connectivity), and for end-user to system communications.
Master Chart
PROGRAMS, DEFINED BY FORMER, CURRENT & FUTURE STATE
PROGRAM FORMER STATE
SUPPORT (CONT’D)
USER IDENTITY MANAGEMENT
Static credentials and persistent access allow for limited security and accountability. Common for single account with no separation of privileges between admin / user. Limited multi-factor authentication. Unique identities separating admin from general user access with some per application / database credentialing. Multi-factor authentication becomes a requirement but implementation varies.
DEVICE
Limited mobile device management. Devices “on-island.” Compatibility challenges. Static device inventory with no continuous assessments performed. Centralized and consolidated asset identification and continuous assessment with support for myriad of devices. Network Access Control (NAC) implemented with growing regularity as IoT expands.
REPORT
Local transactional reporting. Some products have the ability to aggregate multiple restaurants’ reporting Improved reporting aggregation capabilities in core POS products. Improved capabilities in native cloud POS products. Many third party (non-POS vendor) reporting/BI products, but very little true integration, some best in class third party middleware achieves these goals but are expensive
CURRENT STATE
COMPLIANCE (PCI, ETC)
American Express, Discover Financial Services, JCB International, Mastercard and Visa—introduced PCI DSS 1.0 in December 2004. Followed by version 1.1 in 2006 which added online applications and firewall standards as well as the creation of the PCI Security Standards Council. PCI 3.X raises stakes on safe and consistent hardware / manufacturing of payment devices. Payment Encryption (P2P / E2EE) and incident response planning become standard in 3.2. Focus on process enhancement and ensuring proper practice of controls but little yearround validation.
PROGRAM FORMER STATE
OPERATIONS
MENU, ORDERS, CUSTOMER PAYMENT METHOD
Localized, on-prem solution
Cash focused, physical security focused
ORDERS, PLATFORM
Menu boards, phone in, call centers
THIRD-PARTY INTEGRATIONS
1:1, subject to opportunity, expensive, unaccessible, large brand play, Tech debt prohibitive
Full password rotation & vaulting mandatory. Fully validated and audited access trails. Deep integration to SSO solutions. Adaptive Multi-factor authentication to ensure high implementation.
Fully integrated Mobile Device Management (MDM) + Security. Network Access Control implemented with high regularity as part of a Zero-trust model. Protection becomes less end point focused and more identity and application centric.
Use an industry standard API. This should improve the product offerings and make them easier to integrate and port to accounting, inventory, HR and BI systems cost effectively. API first, or well documented systems are differentiators (all APIs are not equal). PII and PCI data are important to keep track of, and potentially exclude from reporting capabilities for compliance purposes.
PCI 4.X promotes security as a continuing process and aims to ensure year-round security maturity. Application develop & delivery requirements signal a change in PCI stance on how transactions are processed. Places more value on digital/ecommerce/contactless and customer data protection.
CURRENT STATE
Heading toward cloud-based
Credit card focused, payment card security standards
Online hybrid, digital menu boards
Fragmented, complex, gated, emerging (Omnivore, Chowly), SaaS expensive at scale AI/ML, who owns the customer data, GDPR/privacy liabilities The technology exists, with many competitors, to achieve the future state. At this point, it takes process and corporate priority changes to achieve these goals.
Tool, support and services are available today to execute this strategy. Restaurants need to prioritize this and build a business case to support it.
Identify, normalize, and systematize least risk / highest value data to aggregate and report. PII & PCI data should be tagged appropriately to reduce risk and track where data is going. Build, use, adopt, and buy systems that implement standards like those created by RTN.
Compliance is shifting from a point in time assessment to a continuous improvement and validation style process. Restaurants must begin to implement third party risk assessments to ensure vendor security capabilities, as well as disclosure requirements. Certain technology categories can make the assessment automated, but many technology stacks still require manual intervention, making this a skills, cost and availability of talent issue.
FUTURE STATE
All cloud, managed, utilizing AI/ML insights to drive operations) Mobile first, QR codes, NFC, Voice based ordering, Venmo, Zelle,
Loyalty ordering, social media ordering, customer analytics (payment, transaction, loyalty data sets) Ubiquitous, click to install, low friction, drive innovation
