To make it nearly impossible to be the source of a card data breach, the restaurant chain Ruby Tuesday Inc. is installing a payment system that will store almost no card data.
Though the Maryville, Tenn., company is not the first to do so, analysts say it is at the forefront of a growing trend among merchants that have become weary of reading about breaches.
Ruby Tuesday said this week that it is installing the new system because it has become increasingly complicated to implement encryption systems that comply with the card companies' Payment Card Industry security guidelines.
Nick Ibrahim, Ruby Tuesday's chief technology officer, said in an interview Wednesday that his company had conducted "a lot of mini-projects" such as encrypting card data while in transport and when it is stored in its systems.
"We got so tired of it, because it's an ongoing basis. I decided to say we don't need the credit card numbers ourselves," Mr. Ibrahim said.
The new system, which uses software developed with Micros Systems Inc., sends transaction data from the point of sale terminal to the bank; almost no card information is retained by Ruby Tuesday.
"In our data warehouse, we store everything as far as the sale is concerned, but when it comes to the credit card number, it's hashed with Xs. The only thing we see is the last four numbers of the card," he said. "We don't want to be in the business of credit cards. We want the bank to be in that business."
The new system, which costs about $2 million, is already in place at about 650 of Ruby Tuesday's restaurants and is expected to be up and running at all 900 by early next month, Mr. Ibrahim said.
Merchants typically retain card data for marketing purposes and to locate transaction records if a customer disputes a charge.
Ruby Tuesday is developing a marketing strategy to solicit information such as physical and e-mail addresses from customers while they are at the restaurants, and not through their cards, Mr. Ibrahim said. Any data needed to resolve a dispute can be obtained from the company's merchant acquirer, Fifth Third Bancorp, he said.
Chris Noell, the president of TruComply Services LLC, an Austin education and compliance support consulting company, said few merchants have tried this kind of transaction setup, even though it has been available for some time.
"Most merchants who are PCI-compliant are coming to the conclusion they're probably keeping more information than they need to," Mr. Noell said. But deciding to get rid of almost all the information, as Ruby Tuesday has done, is "still rare."
Ruby Tuesday is claiming that its new system is "ultra-secure," Mr. Noell said, but not storing the card information does not make it immune to scams.
"I don't think there's such a thing," he said. "There's always a way to compromise something. There's better, but there's never perfect."
Brian Riley, a senior analyst in the bank card practice for TowerGroup, an independent research firm owned by MasterCard Inc., said that restaurants are particularly vulnerable to fraud, because card transactions are frequently conducted out of the customer's sight.
Studies have shown that about 60% of all card fraud at retail locations occurs at restaurants, he said.
In one common scam, a waiter can run customers' cards through a portable skimmer to capture data.
Mr. Ibrahim said that Ruby Tuesday is considering portable readers that could be brought to customers' tables, and that they could be in use in about a year.
The new system will "pave the way for on-table service, where the customer never loses sight of the card," he said.
