Kickfin logo
Get a demo
Support
Sign in
Get a demo

Category: Product and Company News

Never miss a release or roll-out from Kickfin.

Security Tips and Housekeeping for Restaurant Employers and Workers

Posted on by Keely Hungate

The hospitality industry is more digitized than ever before. And that’s a great thing — because the right technology can save crazy amounts of time, cut costs, and generally make everyone’s life a whole lot easier.

But with new solutions come new best practices, especially in terms of cybersecurity. Kickfin keeps this top of mind. Our product team has built a platform that takes security seriously — in fact, it’s our number-one priority.

And on the Customer Success side, we do everything in our power to ensure Kickfin users are trained to recognize and avoid any potential risks before they ever log in to the platform.

Periodically, we recommend customers assess the overall strength of their cybersecurity to help prevent any unwanted threats to their businesses. Below is a rundown of the most important and effective ways that Kickfin users can protect themselves and their companies from cybersecurity threats.

Why should I care about cybersecurity?

According to a report by Modern Restaurant Management , cashless payment systems have created new cybersecurity concerns that restaurant operators need to be aware of. 

They predict four cybersecurity trends for 2025, with cashless payments resulting in more point-of-sale attacks as their #1 security concern for restaurants this year.  

Additionally, deepfakes and AI will enable more sophisticated social engineering and phishing attacks by automating them and increasing their complexity. And the delivery platforms that so many operators have come to rely on have increased the risk of cyberattacks within the supply chain that supports the industry.

Operators need to protect their restaurants from potential internal threats as well. Employees can create risks in two primary ways: 

  1. Direct theft
  2. Inadvertently revealing sensitive information to outsiders.

Keeping You Safe: Kickfin’s Advanced Security Features

We’ve developed several innovative security features to help customers keep their account safe from all sources of potential threats — both external and internal.

  1. Role policies for tip payouts: These allow the operator to grant permission to employees to receive tips, while also being allowed to issue tips. You can use this feature for a Manager who also sometimes works in tipped positions without them needing to maintain two accounts. Or you can strictly limit a manager from ever being able to receive a tip payout if you don’t have managers that cover tipped positions.
  2. Payout limits: You can place limits on what types of payouts a Manager or Admin can issue through the platform. For example, you may allow an Admin issue tips through both our integrated Tip Calculator as well as manually, but you may limit Managers or Leads to only issue tips through the Tip Calculator.
  3. Secondary approval: This feature requires secondary approval for a payment to be issued if that employee is receiving a payment for the first time ever (or the first time in a set number of days), and if more than a certain number of payments are issued to an individual in a 24 hour period.
  4. Payout caps: You can limit the max amount that can be paid out to any individual employee in a single payment.
  5. Locked accounts: User accounts will be locked for multiple failed login attempts or invalid 2FA security.
  6. Audit log features: Kickfin provides increased accountability through expanded audit log features for tracking who is doing what in your Kickfin account.

Cybersecurity Best Practices

At the end of the day, you really can’t control whether you’re the target of a security attack — but you can control how you react and whether it’s successful. As always, knowledge is power. 

Here’s how to ensure scammers aren’t given the “keys to your safe,” so to speak.

1. Use the principle of least leverage

Only give users the absolute minimal access they need to do their jobs. Again, that goes for any software you’re using — but within Kickfin, there are four user roles with varying privileges: 

  • Org Admin: Has access to all locations in the organization; can add/edit/delete users and make payments at any of the locations. We recommend that the number of org admins be kept to the bare minimum of who needs access.
  • Site Admin: Has access only to those worksites to which they are assigned; can add/edit/delete users and make payments at those locations.  We recommend that the number of site admins be kept to the bare minimum of who needs access.
  • Manager: Has access only to those worksites to which they are assigned; can only make payments at those locations; cannot add/edit/delete users.
  • Employees: can only receive payments from those worksites to which they are assigned. They have no access to the administrative areas of Kickfin. Most of your staff should be in the Employee role.

Again (just for the folks in the back!): the majority of your staff should not have Org Admin, Site Admin, or Manager privileges.

2. Educate your staff on proper password management.

Many people are well aware of proper password management, but it’s easy for anyone to get complacent, especially if you’ve never before been the target of a phishing scam. Top things to know about password security:

  • Kickfin will never call you and ask for your password. Legitimate service providers will not ask you for your password to assist you with their system.  This is a common tactic of phishing scam artists in order to gain access to your accounts.
  • Do not share your password with anyone. (Ever.) Managers should not share their passwords with others in the organization, and we do not recommend using a generic login (such as generalmanager@restaurant.com).
  • Passwords should be unique to the individual. Make it something you can remember, but that is not easy to guess. They should not include any commonly used catch-phrases or mottos belonging to your organization.
  • Passwords should contain multiple character types. Consider using numbers and symbols to replace letters in a word, for example D3liciou$Eats! 
  • Use a passphrase instead of a password. A long phrase (the longer the better!) is much more difficult to crack, such as !tal!an Food !$ my Favor!t3
  • Do not use the same password for multiple systems. If your password is compromised, you can limit the harm caused by only using it for one system.
  • Do not make your password accessible. For example: do not write the password on a post-it note stuck to the monitor or under the keyboard or mousepad.
  • Consider a password generator. Your team may want to consider using automatic password generators that are available through most operating systems, or using a password manager that will generate a site-specific password that is randomly generated and virtually impossible to guess.

3. Clean up your user list.

Remove any employees (particularly Admins and Managers) who are no longer with your organization.  Make sure everyone has the right role for their job (see #1 above!).

4. Take extra steps to protect shared computers.

If your team members are using a shared computer, encourage your users to log out of important systems and applications each time they step away from the computer to avoid someone using their account session for illicit purposes.

5. Educate your staff on how to avoid phishing scams and social engineering hacks.

Provide them with training on common phishing and social engineering techniques, how to avoid them, and how to respond to them.

6. Develop a cybersecurity action plan.

Know who to contact in the event of a breach and how best to protect your business.  Make sure all managers know your company’s protocol for reporting an incident should one occur.

What to do if you’re the victim of a phishing scam

Chances are, you’re already doing a lot of things right.

If you, an employee or your business becomes a victim of a phishing scam, please do the following:

  • If it involves your Kickfin account, notify our support team immediately. We can help minimize the loss and help you recover your account.
  • Report the incident to your local law enforcement agency, the FBI’s Internet Crime Complaint Center at www.ic3.gov, and FTC’s Report Fraud site at www.reportfraud.ftc.gov
  • Make sure all passwords are updated with new passwords that include letters, numbers and symbols.
  • Scan your computer to make sure any malicious or unknown software has been removed.

And as always, we’re here to help. If you’d like a security review of your account, please contact us at support@kickfin.com.  We’ll work with you to ensure that all your users are in the appropriate role for their needed level of access.

[Product Announcement] It’s here: Introducing Kickfin 2.0!

Posted on by Keely Hungate

New look, same great tech. (But better.)

In case you haven’t heard: this summer, Kickfin is bringing the heat. We’re rolling out Kickfin 2.0 to all of our existing customers — and all new customers will be directly onboarded to the new version.

(Don’t have Kickfin yet? There’s never been a better time to sign )

Almost every person at Kickfin, at some point in their careers, has worked in or for the hospitality industry.

Which is why it’s been incredibly rewarding — and if we’re being honest, a little mind-blowing! — to see how a simple solution like Kickfin has solved such a huge problem for restaurant teams. But we believe it’s always possible to make something great even better.

So, since day one, we’ve made it a point to do a lot of listening. We’ve talked to countless restaurant teams. We’ve observed their operations and felt their pain points. We’ve analyzed user data (sooo much data!) and drawn some powerful insights.

We took all of that information to heart — and poured everything we learned back into our product.

Long story short: everything you love about Kickfin is staying the same, but we’re making it more automated, more flexible and easier to use than ever before.

Read on to see what’s new in Kickfin 2.0, or scroll down to see the video!

First: Here’s what’s not changing.

Kickfin is the same instant, cashless tip payment tool that thousands of restaurant teams across the country rely on day in, day out. Tip payments will always go straight to your employees’ bank accounts — no matter where they bank! — the second their shifts end, 24/7/365.

Other things that aren’t changing (we promise!):

  • No hardware required
  • No contracts, ever
  • No set-up fees
  • …and pricing is the same as it’s always been.

Now, for the updates and upgrades (drumroll, please):

Aside from looking pretty dang sleek (if we do say so ourselves!), Kickfin 2.0 is going to make account management even more intuitive for you and your employees, and the payment process now has added layers of visibility, cleaner reporting, and a whole lot more…

Account updates:
  • Enhanced log in: Sign in with email, phone number, or both. (Have a Gmail account? Users can now login using Google credentials!)
  • Universal, life-long accounts: Employees only need a single Kickfin account, even if they’re working at multiple sites or in different roles. And accounts are now permanent: employers can “dismiss” employees if they leave, but employees can still log in to see historical tip payments. They also can use the same Kickfin account with a future employer.
  • Stronger security: Birth date is used for identity verification in password and account recovery cases. Kickfin 2.0 also validates login emails and/or phone numbers and requires them to be unique.
  • More flexibility: Job titles and tip classifications (direct or indirect) are set at the site level, and titles can be overridden when a tip is being issued. That means an employee can pick up a shift with an alternate role, and tips will be classified correctly.
Payment updates:
  • Align payments with your workday. The new “payment sets” feature allows you to view payments organized by time or shift — and you can include a description for payment sets to keep them straight. Payments will also be tracked to business days. (Open past midnight? No problem: You can configure your account to understand what “business day” means for you.)
  • No debit card? Pay anyway. Enter tips for any employee in your system, even if they haven’t added a debit card yet. Payments are queued and will be issued once the employee adds their card.
  • Cleaner ledger management. If a payment fails, Kickfin will try to deliver payment for 30 days before the payment expires. The funds will only be returned to your account after the payment expires, creating less “noise” in your ledger.
  • Payment notes. Enter notes for the entire payment group and for individuals, so you can give your employees extra visibility.

What’s next

We’re constantly seeking out ways to innovate, optimize and improve our solution. But from day one, we designed Kickfin to be stupid simple for our users, and to work the way your team works. That’s always going to be a very top priority for us — because we know it’s a top priority for you.

If you’re a current Kickfin customer, you’ve already heard from our Customer Success about upgrading your account. And if you’re not a current customer: what are you waiting for?! Get in touch and we’ll give you a personalized tour of the new platform!