Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices

wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.

Never heard of dumpster diving?

Those imprint machines are far from safe. PF Changs should shutter the business until they figure this out.

Re:Never heard of dumpster diving?

[dgatwood]

Doesn't the merchant have to send the imprint to the CC company (who presumably shreds them)? Or do you mean the carbon copy that they give you? Because that's the customer's problem. Also, the newer slips don't imprint the full card number on the copy, IIRC.

Still beta?

Why does Slashdot randomly serve up beta when I hit the site anonymously? Close the browser and hit it again, poof, beta is (usually) gone.

I thought we put this whole beta thing to bed months ago....why this nonsense?

more secure?

So now I can physically steal boxes of credit card numbers with signatures right at the bottom?

My latest discover card doesn't even have numbers to print. It is a blank card

Re:more secure?

> So now I can physically steal boxes of credit card numbers with signatures right at the bottom?

Everybody understands physical security. Store the boxes in a locked closet in the managers office and the the number of people who have access is reduced to a handful of employees - all of which are also subject to our local legal system. Put the data on the network and the number of people who might have access to it is practically the entire internet, the majority of which are outside of US jurisdiction.

Re:more secure?

[plover]

Physically, you can steal one box at a time, perhaps 1000 receipts. And the thief must be physically present, and risk his ass getting caught doing so.

Electronically, you can sit in Odessa, Ukraine, and steal 44 million accounts from every cash register at a major retailer. And the thief risks absolutely nothing, because his government is too busy fighting the Russian separatists who have taken over City Hall.

See the difference?

Re:more secure?

somehow a physical door lock is more safe than layers of access control? i think you are trading one false sense of security for another. both are equally as safe as the other as long as the proper controls are in place.

eg fort knox won't get robbed and neither will bank of america's trading system

Re:more secure?

[LurkerXXX]

When the physical security is breached, the customers at that one store with the rogue employee/thief is affected. When the records are online, you can have all the customers at many/all the stores are affected by a single breach.

What about flat cards?

[Lab+Rat+Jason]

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

Re:What about flat cards?

[jrmcferren]

THIS is exactly why this isn't a perfect solution! Not only do they have to use ARU which is more costly per transaction, they would have to process it as card not present as they can't imprint on the card. If I had mod points I would mod the parent up.

Re:What about flat cards?

[sribe]

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

Re:What about flat cards?

[ArchieBunker]

You're doing yourself a favor by not eating af PF Chang's.

Re:What about flat cards?

[Lab+Rat+Jason]

Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.

Re:What about flat cards?

Ok so? Unless the parent is the manager of the credit union, he can't just go and resolve that situation can he?

Re:What about flat cards?

Nope. They stock embossed "blank" cards with nothing but that number, and then print the name on it in real-time.

Re:What about flat cards?

[EvilSS]

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

Those raised numbers are going away. My credit union recently switched to flat cards from raised cards (raised cards were available instantly as well). Visa/MC wants to do away with imprints because they are a security risk (since they expose the entire card number on the receipt) so they dropped the embossing requirement a while back.

Re:What about flat cards?

[Charliemopps]

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.

Re:What about flat cards?

[sribe]

Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.

a) My name is embossed on the card.

b) What makes you think they couldn't print a photo on an embossed card?

Re:What about flat cards?

[lag10]

Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

That may be the case, but it's a moot point considering that some cards received in the mail (such as Discover IT cards) are now switching to flat printed (unembossed) formats. It's no longer an issue of how expensive embossing machines are.

Here's an article on the subject from MSE Money: http://money.msn.com/credit-cards/4-ways-credit-cards-are-changing

Re:What about flat cards?

[Em+Adespoton]

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

I was handling non-embossed cards 20 years ago -- you know what we did? WE WROTE THE NUMBERS IN. It's not that hard. And paper copy really is the most secure method -- until the slips go through processing, at which point the physical copies go who knows where, and the information still goes via the internet to a database.

The real reason for doing this is that this kind of processing was their cheapest option that contained minimal merchant liability.

Re:What about flat cards?

Who cares if it's not perfect. It's a workaround why they try to figure out WTF is going on.

Re:What about flat cards?

[whoever57]

which don't have a relief on the printed data... .... So I guess I'm not eating at Chang's tonight

Why not? Just eat there and let PF Chang's sort out the problem that they created. You have a valid means of payment, which the restaurant states that it accepts. Let PF Chang's figure out how to process the card.

Re:What about flat cards?

[onkelonkel]

Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)

Re:What about flat cards?

[gstoddart]

b) What makes you think they couldn't print a photo on an embossed card?

I should hope nothing ... I have one it my wallet.

Re:What about flat cards?

[JasonGoatcher]

Why print numbers on the cards at all, just put the relevant information on the card, and if the card can't be swiped then it can't be used. Way more secure, and only a little annoying when the machines won't work. Plus, if a server walks away with your card, their ability to commit fraud against you is vastly reduced.

Oh, and for online transactions, THEN you'd need to know the number, but you could easily store that separately somewhere in your house. That's way more secure than your wallet.

Re:What about flat cards?

That's not your problem. Go to the restaurant, eat your meal, and when it comes time to pay, just hand over the card.

If they can't process it through no fault of your own and you don't have any other means of payment, what are they going to do?

Re:What about flat cards?

[gstoddart]

Why keep using ancient swipe technology?

Chip and PIN is a *much* better system.

Re:What about flat cards?

[reanjr]

The imprint is for convenience only. There's nothing stopping the merchant from just writing in the info in ink pen. This is perfectly valid and will be honored by the card processor. I suppose it MIGHT take a bit more time to get processed if they're using OCR or some such thing, but most likely they hire teams of data entry drones with mad 10-key skills.

Re:What about flat cards?

[Razed+By+TV]

A lot of chinese food isn't real chinese food. It's Americanized chinese food. Though I share your sentiment that Changs and Pei Wei seem to turn the "chinese" food experience into something else, and not in a good way.

Re:What about flat cards?

FYI, the flat card printers are probably Zebra ones about $500-$800 each depending on options. Embossing card printers, last time we bought one, was over $6,000. I don't work for a bank/CU, but we use the printers for a custom loyaltay program.

Its just as easy to print on demand embossed cards as flat cards, it just costs more. I would estimate that only half of credit unions can on demand print cards.

Re:What about flat cards?

[binarylarry]

jrmcferren is not in the sudoers file. This incident will be reported.

Re:What about flat cards?

[NotQuiteReal]

It's coming... Starting in Oct 2015 there will be "incentives" for vendors to have the means to accept them. It will still take a few more years, but it is coming.

Re:What about flat cards?

Yep. PF Chang's and Pei Wei are owned by the same company.

Re:What about flat cards?

[iggymanz]

wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.

Re:What about flat cards?

[plover]

wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.

Nope. The $5 an hour waiter uses the battery powered skimmer that he has in his pocket, and sells them to Jimmy the Sneak out the back door of the restaurant. Writing the numbers takes too long, and he could get caught.

Re:What about flat cards?

[Ol+Olsoc]

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.

MY credit card company doesn't accept anything. Now that's secure!

Re:What about flat cards?

[dj245]

It's coming... Starting in Oct 2015 there will be "incentives" for vendors to have the means to accept them. It will still take a few more years, but it is coming.

Frankly it amazes me that it is so hard to find a chip and pin card in the USA now. I got a traveler-oriented credit card a couple months ago. When shopping around the chip and pin cards were really nowhere to be found, despite how useful they would be if I were to travel to Europe. It wasn't a feature high on my list though since I primarily travel to Switzerland and Japan, both of which seem to accept the chip less cards.

Re:What about flat cards?

[Ol+Olsoc]

Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)

Yeah Chang's is the shits.

...and the glint of a solitary shaft of chromium steel.

Wow, I wonder how many people her will get that one? One of their best.

Re:What about flat cards?

[iggymanz]

nonsense, no need for any tech, copy takes less than ten seconds. friend is the one who gets caught, if anyone gets caught.

Re:What about flat cards?

[Ksevio]

I finally got one with a chip, but it's chip and SIGN, not chip and PIN so that kind of defeats the purpose and makes it useless in other countries.

Re:What about flat cards?

[Sylak]

Chip & sig is being rolled out by some national banks right now. Expect Target to start taking chips soon, and Wal-Mart already does.

Re:What about flat cards?

[Wing_Zero]

We have a fallback manual Credit card machine where i work, used mainly for when the power goes out or the CC machine decides to take a dump (either can happen about twice a year) when the power comes back up, we can either

A) Manually enter the CC# into our cash till (type the cc info into the machine by hand) or
B) call our CC handler and read off the CC# over the phone.

either way, the customer sees it as a normal swipe transaction on their bill. I don't see either way being anything less than worse security than the standard way.

Re:What about flat cards?

[mysidia]

THIS is exactly why this isn't a perfect solution! Not only do they have to use ARU which is more costly per transaction, they would have to process it as card not present as they can't imprint on the card.

They can photograph the card and prove its presence that way.

Re:What about flat cards?

[idommp]

I also have one of the flat, credit union issued debit cards. Not only can it not be imprinted, it plainly states, in bold red letters across the top of the back of the card," FOR ELECTRONIC TRANSACTIONS ONLY". If you don't swipe the card, submit, and get approval at the point and time of purchase, you aren't getting paid.

Re:What about flat cards?

[jrumney]

Chip & sig is being rolled out by some national banks right now.

Chip and sig makes no sense whatsoever. The point of the PIN is that the chip will not divulge its information without a correct PIN being entered.

Re:What about flat cards?

The many of retail stores around here have them( Home Depot, Ralph's, Food 4 Less.) And I just got issued a chip and pin card. (Lost my old card.) The card readers accepts both cards. So you might not realize it's a chip and pin reader too. It has a slot to slide the card into old school, and 2nd one to put the card in for chip and pin. Unfortunately, I don't use that card much so I haven't tried chip and pin, yet.

Re:What about flat cards?

Sorry, I have no desire to eat dog meat, fish entrails, incests, or tiger penis.

Re:What about flat cards?

You need to remember that the entire world is ahead of the usa, when it comes to practical modern solution(it took years for americans to understand that sms>pager, they still have a low spread of chip+pin systems, they still use the imperial measurments(even though every single company doing buisness outside of the us. is using metric for their producion(since the rest of the world does), etc).

It's seems the mentality of "if it wasn't invented here, we don't want it until we can invent the same thing ourselves" if pervasive.

Re:What about flat cards?

[aitikin]

Doesn't matter to the bank. If the customer issues a chargeback, Chang's doesn't have a leg to stand on.

Re:What about flat cards?

[Eugene]

EMV chip cards does way more then just VERIFY the PIN. It can perform card authentication (card can not be counterfeit/hacked), risk management, and cardholder verification.

If I have to guess, those Chip & Sign cards issed in US are usually signature preferring (at least some PIN methods are still availible on the card, but the setting in the card will always prefer signature unless it's not possible) and not signature only cards.

Re:What about flat cards?

[Eugene]

those processing method are card not present transactions, and might be subject to abuse especially if all you use is the imprinting machine. the customer could then dispute that they never use the card at this location...

Re:What about flat cards?

[mysidia]

If the customer issues a chargeback, Chang's doesn't have a leg to stand on.

If the bank doesn't side with the merchant -- photographic evidence is sufficient for any court... Chang's can still manually send the customer a bill, ding their credit score if their meal ticket goes unpaid, and pursue other recourse: they can even add extra expenses to the debt incurred due to the chargeback, and possibly some interest charges and late fees on the debt...

Re:What about flat cards?

get your head out of your ass -where do waiters make $5 hour-national min wage for serving is $2.13 some states and cities have higher wages but I never heard of $5. If you so paranoid about the "little people" ripping you off carry cash douchebag

amd if you just monitor your accounts like any sane person does these days you at most out $50

hell I think even my credit card has zero liability on it
  and to the pf chang haters -yeah itas a amalgam of asian foods dummied down for american tatses -hit their sister chain Pei Wei its much more thai focus and food has lot more flavor and spice and seems to have lot less salt

Re:What about flat cards?

[Chelloveck]

A lot of {regional} food isn't real {regional} food. It's {localized} {regional} food.

You can fill in {regional} with any non-local region. In the US you can say it for Mexican, Thai, Italian, German, Polish... In the northern US you can say it for Southern food, and so on. It's kind of a variant of the "no true Scotsman" argument. No true Chinese person would cook like they do at PF Changs, therefore PF Changs is not true Chinese.

Re:What about flat cards?

I have a chip&sig card from BofA, and it works fine in Europe. The main problem that I see with chip&sig is that some automated kiosks for things like renting a bicycle simply won't work unless the card is chip&pin.

It baffles me why it is that we feel the need to re-invent the wheel and then suffer from weird compatibility problems.

Re:What about flat cards?

[aitikin]

If the customer issues a chargeback, Chang's doesn't have a leg to stand on.

If the bank doesn't side with the merchant -- photographic evidence is sufficient for any court...

Bullshit. I'm in sales, my company's lost chargebacks with "photographic evidence" plenty of times. The bank sides with their client, the customer almost all the time.

Re:What about flat cards?

[coinreturn]

Sorry, I have no desire to eat dog meat, fish entrails, incests, or tiger penis.

This. As a USAian, I like so-called Americanized fare. In many places it is WAY better than the "genuine" places that a bunch of hipster doofuses think are so great for being so genuine.

Non-imprintable Cards

[coop999]

One of my cards was reissued without raised digits on it about 3 years ago, so this plan might not work out so well for them. Also, I wonder how many of the 19 year-olds working there's minds just got blown by the swipe machine and now know why credit cards (used to) have raised digits.

Not Clueless

This response is not necessarily clueless. How much values does the chain derive from electronic processing? If it is less than the cost of securing their systems then going back to paper is a smart tactic.

There are lots of cases where sensitive records are needlessly computerized. For example, I just had a discussion with my local blood bank. They have federal requirements to record your identity in order to track you down if someone finds a problem with your blood. So they put it in a computer and when you ask about security they give you the same line that Target and PF Changs, and Neiman Marcus, and pretty much everybody gives you when you ask - that security is important to them and that they've taken precautions to protect it.

But the thing is, they don't need to computerize my identity. It is one of those write-once, read rarely pieces of data because the number of times they have to find someone because of bad blood is tiny compared to the number of donations they get. They could just write it down and file it in a literal filing cabinet and then give me a donor-id to use when making donations. Let the computers use the donor-id for scheduling and all the other stuff that happens frequently, but in that rare case when they have to actually find out who I really am, an extra 5 minutes to go look in the filing cabinet won't be a burden.

I'm not saying that all sensitive information should only be stored on paper, but I am saying we ought to be asking what info really benefits from being stored electronically and is the benefit really greater than the risks?

Re:Not Clueless

[Fallen+Kell]

5 minutes to look in a filing cabinet? Are you kidding me? Do you know how many people would be in that filing cabinet? Something like 30-60 million, assuming they somehow know when to magically remove the ones who died.

Re:Not Clueless

[Fallen+Kell]

Also, do you know how large that filing cabinet would even be? A cabinet with 18" deep drawers that is 18,182 feet high.

Re:Not Clueless

[Lab+Rat+Jason]

Unfortunately this makes your Identity EASIER to steal... since filing cabinets' auditing systems are easy to bypass, and it's hard to know if the data has been accessed/stolen. The inside job is far too easy with this scenario.

Re:Not Clueless

I disagree because while it may be technically easier to steal paper records from a filing cabinet, the number of people who have theoretical access to that cabinet is many orders of magnitude smaller than the number of people who have theoretical access to a networked computer system. Furthermore, you can automate an attack on networked systems, script-kiddee style. Physical records are not vulnerable to that sort of risk.

And last, but not least, while a theoretically perfect auditing system would give you intrusion detection on a computer, the problem here is that those rarely exist in practice and even when they do they still require interpretation. Target being a perfect example. In the real world, a cut padlock and an empty filing cabinet is a pretty straightforward clue that something was taken.

Re:Not Clueless

> Also, do you know how large that filing cabinet would even be? A cabinet with 18" deep drawers that is 18,182 feet high.

Why do you think there would be just one filing cabinet? How do you think blood banks handled this requirement back in the 90s? Maybe you've never been to a blood bank, but it isn't like they are on the cutting edge of IT.

Re:Not Clueless

Unfortunately this makes your Identity EASIER to steal... since filing cabinets' auditing systems are easy to bypass, and it's hard to know if the data has been accessed/stolen. The inside job is far too easy with this scenario.

Probably not. It probably makes cases of identity theft easier, but instead of getting information on thousands if not millions of people per theft, each case of identity theft would be for only a handful of people.

"Crooked wait staff puts two sheets in the imprint machine for 10 customers" compared to "hacker downloads entire database".

Re:Not Clueless

If you are such a paranoid douche, then why the fuck are you donating blood? You know the gubbermint is really taking your blood and doing a full DNA analysis on it to find the key genome sequence that will grant Obama immortality, so he can declare himself supreme ruler for the next 300 years and enslave the rest of rest of humanity in FEMA camps as part of the Reptoid conspiracy.

No imprint?

[Delarth799]

There are a lot of cards now with don't have the numbers imprinted on them. Am I going to have to manually write out my card information when I go there now because these incompetent people can't be bothered to hire a couple security people and fix the problem instead of making it inconvenient and no more secure for anybody. Also a credit card swipe is pretty much automatically processed, what kind of delay will be on the manual transactions?

Chip & Pin

I heard the USA will finally get proper Chip & Pin cards next year ?

I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

Re:Chip & Pin

[ArchieBunker]

I had the same problem but when using my card in Canada. Some places would read it but most would not. Called the credit card company to bitch and nobody knew what chip and pin was.

Re:Chip & Pin

[EvilSS]

I heard the USA will finally get proper Chip & Pin cards next year ?

I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

Chip yes, PIN... maybe. PIN is not going to be a requirement from the credit card companies in the US, it will be left up to the individual issuing banks whether to include it or not. Supposedly it's to do with "customer acceptance" but really it's some BS around PIN payment processing vs regular CC processing networks and fees and how the new Chip & PIN transactions would be handled.

Re:Chip & Pin

[farble1670]

it's looking like chip & signature, not PIN. CC companies are worried that people will not remember their PIN and therefore spend less.

Re:Chip & Pin

[whoever57]

Some places would read it but most would not.

I have been dealing with this in the UK for some time now. The card readers do actually have a slot for swiping cards -- it's just that the slot (on the side of the card reader) is so narrow that the cashiers don't know you can swipe a card through there.

On my last trip, I used my new Citibank chip and signature card and that seemed to work OK, although there were some surprised cashiers as the signature slip printed out.

Re:Chip & Pin

[reanjr]

Signatures are typically only for larger purchases. When you buy a pack of gum with a credit card, you almost never have to supply a signature. Also, in the US we buy packs of gum with credit cards, which is not really easy to do a lot of places outside of the US, with minimum purchases requirements.

Re:Chip & Pin

[ArchieBunker]

The ATMs give an error about my banking institution declining the transaction. Called card services a number of times and they claim no problems and don't see anything being declined. One certain ATM seems to work while most don't. Gas stations seem to read the card alright but then the grocery store couldn't. My bank's VISA card has more problems than my Mastercard. Seriously what the fuck?

Re:Chip & Pin

And next will be RFID, because it turns out that Chip and PIIN takes too long to process and is too annoying for customers for small purchases. This is exactly the progression that happened in Canada. Now we're stuck with RFID enabled on most or all CCs. So has the security increased overall? I doubt it.

Re:Chip & Pin

America is technologically 20 years behind Europe, except for American banks, which seem to be 40 years behind.

Re:Chip & Pin

I cannot remember my signature. I seldom use it and I seem to have three different ones and cannot remember which one I used where.

Re:Chip & Pin

[aitikin]

Minimum purchase requirements are against the agreement the organization has with the credit card company* (in the US) which is why you can pay for a pack of gum with a credit card.

*Mind you, you'll still see plenty of smaller stores putting a minimum on purchases with CCs. They pay a larger transaction fee than big chains typically.

Re:Chip & Pin

[Richard_at_work]

When a vendor accepts a transaction via anything other than chip and pin, they take on significantly more responsibility for that transaction, and thus many vendors simply choose to decline those transactions.

Now That's Amusing

[vomitology]

A company that didn't know it was breached, doesn't know the extent of the breach, and who's answer to the breach is to revert to 40-year old tech using the phrase "If it's not obvious..."

Illegal

its illegal to use those devices in California. I thought the whole reason those were phased out was because they actually facilitated card theft...

Re:Illegal

[Isara]

they're not illegal in California, just antiquated. they were phased out because they're not as convenient and the security on them is minimal to non-existent.

Imprint is still allowed?

[Cmdr-Absurd]

I was under the impression (no pun intended) that the old-school imprint technique was declared unacceptable (in the PCI-DSS rules) a few years back.
Perhaps the rules for securing the imprints were just so cumbersome that it made using them completely impractical. I can't imagine fast food joints maintaining the physical security required for this.

Re:Imprint is still allowed?

[dave562]

I was thinking something similar. Now instead of having a bunch of numbers easily accessible to thieves in a compromised POS system, they are simply going to be discarding a bunch of imprints covered in Chinese food waste.

Re:Imprint is still allowed?

You're impression is wrong. The security codes (ex. CVV2), PINS, data on mag strip, etc... can not be stored ever. Name, card number and expiration can still be stored as long as it's protected following specific security requirements.

Re:Imprint is still allowed?

[mirix]

I haven't seen the desk-type imprint machine in ages. Must be 20 years, maybe 10 - 15 years in backwater areas.

Though the last time I got my car towed, the driver had some sort of miniature impression rig. Which still makes sense, if you're out of range of network and whatnot...

Also in Cuba, they had one down there. Which sorta makes sense too.

Re:Imprint is still allowed?

[nolife]

A lot of taxi drivers still do the old school impression method.

Re:Imprint is still allowed?

[Cmdr-Absurd]

A bit of googling does suggest that imprints can be still used. Still, I can't imagine the security requirements being met in a fast food environment.

Re:Imprint is still allowed?

[hurfy]

nope, we still use one for two weeks at the fairgrounds. No, I don't want to buy a smartphone and a data plan for 10 days a year. If you can't manage to not lose a handful of reciepts how the heck would a business deal with cash?

I imagine they figured the loses from bad cards were acceptable given the circumstances. I can't see them imprinting and immediately running the card. In that case a dial-up swipe terminal makes more sense.

They probably aren't processing the cards at all yet. Otherwise they key them into a dial-up terminal, in which case swipe makes more sense, or key them into the insecure system by hand??? Little tougher on the cash flow but few people get upset if not billed right now ;)

The local grocery stores brought in a dial-up swipe terminal when they had the same issue. You only had one lane at the customer service counter for cards for a week!

Re:Imprint is still allowed?

Stores still use them when the power goes out or if there's a problem with the processing system. It's better than telling people, sorry you can't buy anything right now. Wait around for an hour and maybe it'll work.

Paper is more reliable than electronics.

Re:Imprint is still allowed?

[Cmdr-Absurd]

I once went to a Staples to buy a ream of paper. Their computers were down. So they decided to close the store. Said they couldn't sell anything. Apparently, they couldn't locate any office supplies that would have allowed them to write up a sale.

Secure against Cylons

[chiefcrash]

You'll see things here that look odd, even antiquated to modern eyes, like phones with cords, awkward manual valves, computers that, well, barely deserve the name. It was all designed to operate against an enemy who could infiltrate and disrupt even the most basic computer systems. Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection...

Never store sensitive data you don't need.

[hey!]

Back in the 80s I worked for a company that did back office accounting systems. Then I moved to a large non-profit and was in charge of both back office and customer facing systems. This was when the Internet was for non-commercial traffic only, so "customer facing" meant a live operator at a dumb terminal hooked up to a minicomputer.

My new employer wanted me to develop a system that would among other things take credit cards from donors and volunteers. I was pretty confident on the technical end of things, but I wasn't sure about handing the financial data. So I called in a CPA friend I'd met at my prior job, and he looked over a the design documentation for the system to make sure everything was kosher.

"You can't store credit card information in the database," he said.

"Why not?"

"Because it's insecure," he said.

"But it's convenient," I said.

"That's the problem," he said. "Look, any of the operators will be able to look up credit card information on any donor. Some of these donors are rich. You'd be able to go on one hell of a shopping spree with just one of their credit cards."

"What if I make it harder to look up the data?"

"Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions. And while you're keeping it around in case you might someday have a use for it, it leaves you wide open to theft. It'd be a disaster; customers won't do business with you because your reputation will be in the toilet. Get rid of it. Get it out of the database, any logs you have, and make sure it's not in any backup tapes."

And when I thought about it I realized he was right. There was no point in exposing my employer to risk for no real benefit. That's when I learned an important principle of security: don't hold onto sensitive data that you don't actually have a use for. I suppose you could generalize: don't keep sensitive data on any system where there is no compelling need to store it there.

Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world. But even though it is the *norm*, that doesn't mean you should automatically do it. There's actually a use in a web store for storing credit card data which offsets the risk (which you should still minimize). There's no reason for a restaurant to store credit card information -- that's just blind habit. Waiter takes the customer credit card, runs the transaction, and hands the card back to the customer, and then restaurant no longer has the data. You can't lose what you don't have.

Of course in this case it's probably not P.F. Chang's fault. They bought a POS system which left them open. It probably is all slick and really very helpful at keeping things moving, like maybe taking the customers card at the table. It'd be interesting to know how the POS system vendor screwed this up, because clearly they did.

There is no encryption or security architecture that beats not having the data.

Re:Never store sensitive data you don't need.

[gigne]

"Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world."

Having intefgrated with several payment processing systems, I can tell you no one stores credit card information any more. At least in Europe. PCI-DSS regulations are very clear on this.

What we have now is a token we can use. The token is returned after a payment is made. You can keep this token int he DB to allow repeat purchases. This is similar to storing the credit card, but you can only re-use that token with the single payment processor company and give the original payee that money.

Pretty much useless for a criminal.

The liability for leaking a cc number is now with the payment processor, and they are generally held to a higher security standard than your average chinese retaurant chain.

Re:Never store sensitive data you don't need.

[farble1670]

"You can't store credit card information in the database," he said.

if you didn't know the answer to that, you really should not be writing such software.

Re:Never store sensitive data you don't need.

[farble1670]

"Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions.

your software should never even have the data at all. it should be coming off a card read encrypted and going straight to the payment processor in that fashion. if you ever keep unencrypted card data around, even if it's only in the memory of your device, it's trouble (that's how target got hit ... something was scanning their memory for things that looked like credit card data).

and there's a lot more to it than that, not the least of which is ensuring that the hardware itself cannot be tampered with / hacked to access the CC data prior to it being encrypted.

taking payments is a dangerous business. if you are small time it's safer to accept paypal for some other payment method that doesn't involve you handling customers' data.

Re:Never store sensitive data you don't need.

if you didn't know the answer to that, you really should not be writing such software.

GP knew to call someone in who was more knowledgable. If you didn't know to do that, then you really shouldn't be doing jack shit.

Re:Never store sensitive data you don't need.

[stinerman]

I've worked with payment processing here in the States. You can store the number and the expiration date but not the CVV2. Of course, no CVV2 means higher processing fees, which means customers will ask for ways of storing the CVV2. We tell them that makes them non-compliant and they don't really care. They just want lower processing fees and pay lip service to compliance.

Re:Never store sensitive data you don't need.

Maybe you should go back to the 80s and tell him that. Thanks for adding exactly nothing to this discussion.

Re:Never store sensitive data you don't need.

[grep+-v+'.*'+*]

There is no encryption or security architecture that beats not having the data.

YES! I agree completely, because sometimes you just don't have the data.
--Your Friendly IRS branch audit store. Stop by and we'll check each other out!

After Non-Profit Application Furor, IRS Says It's Lost 2 Years Of Lois Lerner's emails

One. Two. Three.

Re:Never store sensitive data you don't need.

[hey!]

These were telemarketing operators who didn't have physical access to the credit card. Anyway, back in those days the data wasn't encrypted yet. So I fear I have led you to squander an insightful comment.

It's easy for an old timer to forget that people under the age of 40 have never ordered anything over the phone. At the time I'm talking about, the web was years in the future, and it was illegal to conduct commerce over the Internet (which we called "the ARPANet"). Most businesses ran entirely on paper, and most people had never seen a computer in person. Usually in the movies or TV they'd use a 7 track tape drive as the prop "computer", although those were obsolete even then.

So believe it or not, back then it was common to call a vendor on a phone, verbally tell him what you want, and then read off your credit card number and expiration date. This was simply the way you bought things if you weren't shopping at a bricks-and-mortar store (which we called "a store"). Nobody was worried about "identity theft" because thieves still dealt mainly in cash and transportable valuables and crooks were only just then cottoning on to the value of information.

You could also buy stuff by writing a letter to a vendor listing what you wanted and enclosing a check or money order (which was a check you got at the post office in exchange for cash and and extra nickel). Six to eight weeks later your stuff would arrive. For some reason it was always "six to eight weeks". That's how we used to buy stuff like propeller beanies and x-ray specs from poorly printed ads in the back of comics. The x-ray specs were a bust; all they'd do is make girls think you were creepy, which was actually kind of the point. You could also send away for itching powder and books of allegedly comical retorts you were supposed to use if somebody said something that made you feel bad and you couldn't think of anything original. "May the fleas of a thousand camels infest your armpits." That material killed -- usually the kid who tried to use it.

It was a simpler time. Kids couldn't get access to porn (which we called "dirty pictures") because they kept it on a shelf higher than we could reach. You had to know to sneak into the firehouse when the men were out on an alarm. We didn't have gaming consoles so we had to make our own fun. We'd go out in the healthy fresh air and throw rocks at each other. That was our version of a "first person shooter". Sometimes to fill up the time we'd have fist fights with kids who were a different race or religion from us. Or from the other end of the street. Or were just there. Believe me it kept you on your toes when you were walking home at night! But it wasn't hateful, it was just something to do when you don't have "Grand Theft Auto" to keep you distracted. The next day we'd be having a pickup baseball game (no adult supervision for *us*) down at the sandlot with the very same kids we'd just fought. We'd laugh, exchange insults, and swipe the other guys equipment when he wasn't looking, just as if nothing happened.

And I swear, every word I've written here is true.

Re:Never store sensitive data you don't need.

Fascinating, I love hearing stories like this. I wish I could have experienced what it was like to live back then.

Re:Never store sensitive data you don't need.

[s0nicfreak]

I think you may be confusing your times; by the 80s kids had Atari 2600s and Apple IIs.

Re:Never store sensitive data you don't need.

[hey!]

Very few kids. And most of those didn't have modems. Adults often did, and they could buy things on CompuServe or AOL dialup, at 1200 baud. Not many people did, and those who did so did it more for the novelty value.

But I did slip from 1986 to 1967 in my reminiscing. It was the comic book thing. My dad had restaurant next to a convenience store and I used to buy my comic books there.

Cash ...

[jamesl]

... is King.

So then what?

[istartedi]

Nobody handles cards like that anymore. So. Let's put an ad on Craigslist in the "gigs" section. Then we can have some guy who says he has a work permit (honestly) drive them over to his mama's house on the East side of town. He'll scan them with her XP machine so they can get onto the network.

Criminal System

[Tokolosh]

Credit cards are a ponzi scheme, are not backed by any hard currency, cannot be used to pay taxes and are only used by drug dealers and money launderers. Oh, wait....

Re:Criminal System

[stinerman]

Of course they can be used to pay taxes. I paid the balance of my federal income tax using a credit card.

Yes, I know...

Re:Criminal System

I suspect you actually paid a third party who charged you an upcharge (processing fee) who then paid real money on your behalf to the Federal government. Assuming you're in the U.S., anyway.

Here we go again

All these breach reports create a fascinating story to me.

It's kind of like the old Bill Gates drop test. How large an amount of money would Bill have to accidently drop to be worth his time to lean down and pick it back up?

Solutions like 3C could be rolled out very quickly and very inexpensively to eliminate credit card fraud. 3C can work with existing equipment so no new hardware is required in most cases. It would actually be easier than rolling out imprinting devices. And much more secure.

Chip-and-pin could be rolled out less quickly and at a higher cost, and not quite as secure, but could still be done relatively quickly if there was the will to do it. Again, chip-an-pin would be less work that rolling out imprinting devices, and would be much more secure.

Re:Here we go again

[coolsnowmen]

Again, chip-an-pin would be less work that rolling out imprinting devices, and would be much more secure.

Except not by PFChangs. The whole point is to be able to get money from customers, but, PF Changs's US customers don't have a CC with chip&pin. It has to come from the credit card companies.

Manual imprinting, aka...

[wonkey_monkey]

...the clunk-a-chunk machine.

I know retro is in, but this is going too far.

Wait, what?

[gstoddart]

How the heck does old fashioned imprinting help me to use a debit card?

Do these people actually not understand any of this technology?

Re:Wait, what?

[hurfy]

Imprinting implies they are not billing the card immediately at all.

Not billing your debit card at the moment is only slightly more risky than real CC. They are more likely concerned with image and customer satisfaction atm.

Re:Wait, what?

[gstoddart]

Obviously, because it's paper. Which is not immediate.

But, I didn't think you could do a debit transaction with just an imprint. How do you know which account? You certainly don't have my PIN.

I'm skeptical this would even work. I've never heard of doing a debit transaction with an imprint ... it may exist, but that would surprise me.

Re:Wait, what?

Most debit cards have a Visa or Mastercard logo on them.

When they are presented for payment at a restaurant, the server swipes the card and enters the amount of the bill. The bank verifies that there is enough money in the account. A receipt is printed. The receipt is given to the customer to add gratuity and signature. The server enters the full amount, including tip, in the POS system. The transaction is processed as credit through Visa or Mastercard. The amount is debited to your account, though is sometimes takes a day or two to clear. In most cases it's pretty much instantaneous.

In the case of taking an imprint, the transaction is still processed as credit, though I'm not sure how they verify that there are sufficient funds. Perhaps a phone call to the number on the back of the card. That's the way we did it back when I used imprint machines.

Re:Wait, what?

[Lehk228]

most debit cards can be run as credit, if you have a usage limit on debit pin transactions you likely do not have a limit on debit/credit transactions, they are not processed instantly so you have to be smart about not spending all your money

Re:Wait, what?

what it means is the business RUNS THE RISK YOU WONT HAVE FUNDS WHEN THEY RUN THE CARD -i SUSPECT THE MANAGERS AT cHANG WILL BE MANUALLY entering your cc numbers in the office not ACTUALLY TURNING IN MANUAL slips to their cc processor

now this does mean you could have a delay in when the charges hit your account setting you up for the old over draft game banks used to pull by refusing to link up their atms with other banks atms and eeven their own where atm says balance avail is $200 BUT IT DOESNT account for the $100 you spent at walmart 3 days ago

Re:Wait, what?

[mysidia]

Obviously, because it's paper. Which is not immediate.

But, I didn't think you could do a debit transaction with just an imprint.

It's probably not just paper. The debit card probably has a MC/Visa logo. Mastercard/Visa/Discover have or had an "authorization call center". If the magnetic stripe on a card won't work; there's a phone number the merchant is to call in. Give their merchant account number verbally; give the Credit card number, expiration date, flip the card over, and read off the 7-digit number on the signature panel.

The authorization center will then verify the transaction is authorized, and reply with an "authorization id" that the cashier is to write on the sales form.

They will then take an imprint of the front of the card, to prove that it was present at the time of sale.

It's written in by hand

[SuperBanana]

The slip's form fields align with a credit card, but that doesn't mean the waitstaff can't write it in by hand. Impressions just made it faster, and gave some limited proof of "card presence."

Also, why would you eat at PF Changs? PF Chang's is for people too afraid (to be polite) to step into the local Asian restaurants. It's overpriced low-to-mid-tier produce/meat with a sauce that came out of a can. If you're lucky, that can says "PF Changs teriyaki sauce", not "Sysco teriyaki sauce."

I once ate there and the waiter actually felt it necessary to tell us that "soy sauce is like salt for chinese food."

Stop eating at chain restaurants. They suck - the food's bad, they run the local non-chains out of business - and they prey upon people who want bland consistency. Live a little. Support the local economy. Etc.

Re:It's written in by hand

The slip's form fields align with a credit card, but that doesn't mean the waitstaff can't write it in by hand. Impressions just made it faster, and gave some limited proof of "card presence."

Also, why would you eat at PF Changs? PF Chang's is for people too afraid (to be polite) to step into the local Asian restaurants. It's overpriced low-to-mid-tier produce/meat with a sauce that came out of a can. If you're lucky, that can says "PF Changs teriyaki sauce", not "Sysco teriyaki sauce."

I once ate there and the waiter actually felt it necessary to tell us that "soy sauce is like salt for chinese food."

Stop eating at chain restaurants. They suck - the food's bad, they run the local non-chains out of business - and they prey upon people who want bland consistency. Live a little. Support the local economy. Etc.

I have to say that my waiter at PF Changs in Boston commented that soy sauce was like liquid salt. This was a totally unprovoked comment as I knew what soy sauce was and hadn't inquired about it. He also said that everything tastes the same because everything is fried in oyster oil. When I ordered a shot of bourbon before my meal, he said PF Changs wouldn't sell me a shot for any amount of money, but I could have it on the rocks. I also feel it is necessary to state that this was over 10 years ago, and my only visit to PF Changs.... and sorry for the unrelated comment.

Re:It's written in by hand

I live down in South Florida. Apart from a nice little hole-in-the-wall Thai place that changed ownership so it completely blows now (cook was the old owner's husband or something, my family was decent friends with the owner), I haven't actually been able to get any good asian food down here apart from PF Changs.

cute things: take home some PF Changs and reheat it in any way
it will taste exactly like every other Chinese restaurant's food

Probably the only actually great thing I've had there is the Mongolian Beef. That's honestly really great. If I hadn't ordered that the first time I went there, I'd have never gone back -- nothing else I've had is really worth the price, even if it's "okay".

I've also never had the waiter tell me shit like "soy sauce is like salt", but hey.

Re:It's written in by hand

[KingOfBLASH]

THIS!

REAL restaurants tend to be cheaper, and of better quality. You're smoking crack if you'd rather go to PF Changs.

Re:It's written in by hand

[DNS-and-BIND]

People eat at PF Chang's because they want American Chinese food. Real Chinese restaurants serve dishes that nobody's ever heard of. Moreover, before you go into a PF Chang's, you know exactly what you're going to get. The local place...it's a coin toss. For the record, I hate PF Chang's and would never voluntarily eat there.

I will never understand people who get discombobulated by the fact that other people don't agree with their choices. "Prey upon people" WTF?

Re:It's written in by hand

[Lehk228]

> Moreover, before you go into a PF Chang's, you know exactly what you're going to get.

knowing in advance that it's going to be shit, does not make it less shitty

Re:It's written in by hand

P.F. Chang's is a godsend for people with celiac disease.

They are very aware of what gluten is and how dangerous it is for celiacs. They have a special section of the menu for gluten-free dishes, and the kitchen uses a separate preparation area and separate dishes and plates for gluten-free dishes to prevent cross-contamination.

I suppose if you don't have celiac or have a friend or relative who does, it's understandable that you might not be aware of the issues involved, but things are a little more complex than your "just live a little" attitude.

Re:It's written in by hand

[steelfood]

While I mostly agree with you, there is a market that P.F. Changs is filling that many local places cannot. Unless you're living in an area that has a good sized Chinese population, most "real" chinese food places serve items like fried chicken and egg drop soup. The rest of the menu is probably going to suck just as bad or worse.

High end Chinese restaurants is hard to do, mostly because the majority of Americans (to no fault of their own) have long since associated Chinese food with cheap, and the "high end" Chinese food in the U.S. just doesn't cut it quality-wise for the local Chinese population (especially compared to what's found in Hong Kong or even Vancouver or Toronto) for that price. My point being, there really aren't many places that can support a decent local Chinese restaurant. But where they are present, they're certainly preferable food-wise to P.F. Changs.

As for why Chinese people haven't started a chain like P.F. Changs already (that serves more authentic Chinese food, say), well, that's largely a cultural thing that would require several books to explain. The closest thing to that is Panda Express, and we all know what types of food they serve.

And gone

[phorm]

Cash, when stolen, is gone. I'd rather not go back to the days of carrying a a hundred bucks or more in my wallet when going out for the night, walking back to my car in a dimly lit street surrounded by sketchy/drunk people.

Somebody steals my card - or card info - I cancel the card. It's done. I owe no debts so long as I watch my charges and report if something goes wrong

Somebody steals my wallet with my card. I cancel the card. It's done. I owe no debts so long as I report the card stolen

Somebody steal my cash.... the cash is gone, and I'm not getting it back.

Swipe is still used in UK for 'more verification'

Actually the swipe is used sometimes - for example, I had had a problem with my credit card where automatic security checks kicked in (I made a large purchase overseas) and so had to call the credit card company for verification, which is fair enough. Inconvenient but the service of verification was painless, quick and the person at the other end was very polite and efficient.

However the next day - back at home in the UK - when I went to the local supermarket to get a big grocery shop I put in the PIN and after the cashier looked at her register, swiped the card and then asked me to sign the resulting receipt for her to check.

It was that I had had a 'flag' on my card (from the day before) and they were doing a second verification.

Also, I believe that the swipe on those hand held verification machines can also be used when signal is out to the credit card company as a last resort.

But don't knock the manual carbon copy method. I wouldn't have my gerogeous hand mad rug from a souk in Egypt were it not for that. Of course I am not going to use my debit card in those cases and the credit card company can call me at any time (as could the store owner of that souk) if the transaction was blocked.

That actually was a glimpse of a the nicer, trusting side of humanity. Thank you Mr store owner in that Souk in Egypt.

Get a concealed weapon permit

If you've got a clean record, it's not that tough to get one & it works in situations like that like a charm.I live in a neighborhood that's starting to "downhill slide" like that - that was MY "fix", amongst other things (it works).

more insecure

this is actually more insecure. having your name and credit card number on 3 pieces of paper ( the copies of imprint) floating around for years to come. whether it is in the office or the basement of the restaurant. blowing around in the wind by the dumpster when they dispose of it etc...

can you imagine how quickly a thief/employee could note your 3 digit code from the back when doing the transaction? then google your name and address.

Dumpster Diving

[bkcallahan]

So all you have to do is get the carbons from the trash now for those, like back in the 80s??

Re:Dumpster Diving

actually those carbons are part of your daily receipts which by federal law have to be available to IRS for review for 7 yrs states might have longer time requirements-most places have daily envelopes they seal then through in a box for each month

It's $9.32 in Washington

Washington State Minimum Wage Law applies to wait staff and the current minimum wage in Washington is $9.32 an hour.