Chipotle Mexican Grill appears to be a target of a recent data breach. This comes in the wake of an apparently similar hack Arby's suffered, reported in mid-February.
Chipotle, the ubiquitous fast-casual restaurant chain, is investigating "unauthorized activity" they believe to be contained which occurred from March 24, 2017 to April 18, 2017. Chipotle earns praise for its speed and candor in reporting the data breach, which MarketWatch and others report is not affecting the Denver, Colorado-based company's publicly traded stock.
Restaurants, along with retailers like GameStop and hospitality providers, are prime targets for efforts to obtain the wealth of credit card information available at point-of-sale transactions and other data held on file. It'd be unsurprising to learn that the culprit was malware on POS terminals such as in the Verifone attack. In that incident, whose timeframe coincides with that of the GameStop's, POS terminals at fuel stations were a malware target.
The Chipotle hack is another argument for quick-service restaurants, fast-casual ones, and other high transaction volume establishments to rethink how they process the bulk of their payments. They can do this in a way that takes a tremendous amount of fraud potential off of the table, and finally align proprietary marketing and customer experience (CX) aims with a new kind of payment security.
First, they can tie sensitive data like customer identity and bankcard information to a person, and not to a static alphanumeric string such as the same bankcard presented time and again at malware-susceptible POS terminals, or insecurely held on password-protected applications. This would liberate many such transactions from the insecure world of card swiping, slow-moving EMV chip transactions, and risky unprotected data-in-transit payments. The way to do this is to further develop branded apps into full-service digital wallets.
A restaurant of Chipotle's caliber already has a desktop and mobile app that corrals a store finder and a preorder/prepay option. What appears to be missing is tokenized, multimodal biometric payments, rewards, and other features. The right solution will also enhance the CX so glaringly, like a "selfie for your regular order," that the military-grade encryption underpinning it will be an afterthought. Solutions like these are true omnichannel offerings working in-app, in-store, and on desktop.
A Chipotle-branded full-service digital wallet also supports the CX goals we see by other big players like Starbucks, Dunkin' Donuts, and McDonald's. These hugest of players are giving digital CX more attention than ever. An important feature they all have or will implement is preordered/prepaid pickups, something Chipotle relies on but can do more enjoyably and securely.
Apple Pay and Samsung Pay are examples of this kind of innovation, but retail or e-commerce giants can bring this concept much further. They can have it be interoperable across devices and operating systems, and free it of agreements with third party digital wallets married to device manufacturers. Recall that retail and pharmacy leader CVS created CVS Pay, abandoning Apple Pay, so that proprietary information on shopping habits remained under its control.
There are some things to work out such as Apple granting SDK access to its NFC chip so that, for contactless payments at POS terminals, NFC is supported along with Bluetooth. In the long run the independence a full-service digital wallet, underpinned by the latest in biometric security and usability, is a sensible path for restaurants, retail, e-commerce, and hospitality giants to take. The risks inherent in high-volume transaction business models demand that at least a portion of the payments be put in a safer lane than they currently occupy.
Chipotle and its peers may always accept payment with card swiping and EMV at POS terminals. They'd be wise to reduce risk by downsizing the volume of payments that are susceptible to attack, resist dependence on other digital wallets restrictions, and build upon a CX that is a crucial differentiator in the crowded foodservice arena.