Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices

Posted by Soulskill on from the 40-year-old-technology-will-save-us dept.

wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.

91 of 142 comments (clear)

  1. What about flat cards? by Lab+Rat+Jason · · Score: 5, Informative

    My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

    --
    Which has more power: the hammer, or the anvil?
    1. Re:What about flat cards? by sribe · · Score: 1, Informative

      My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

      Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

    2. Re:What about flat cards? by ArchieBunker · · Score: 2, Informative

      You're doing yourself a favor by not eating af PF Chang's.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    3. Re:What about flat cards? by Lab+Rat+Jason · · Score: 1

      Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.

      --
      Which has more power: the hammer, or the anvil?
    4. Re:What about flat cards? by EvilSS · · Score: 2

      My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

      Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

      Those raised numbers are going away. My credit union recently switched to flat cards from raised cards (raised cards were available instantly as well). Visa/MC wants to do away with imprints because they are a security risk (since they expose the entire card number on the receipt) so they dropped the embossing requirement a while back.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    5. Re:What about flat cards? by Charliemopps · · Score: 1

      My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

      My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.

    6. Re:What about flat cards? by sribe · · Score: 1

      Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.

      a) My name is embossed on the card.

      b) What makes you think they couldn't print a photo on an embossed card?

    7. Re:What about flat cards? by lag10 · · Score: 1

      Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

      That may be the case, but it's a moot point considering that some cards received in the mail (such as Discover IT cards) are now switching to flat printed (unembossed) formats. It's no longer an issue of how expensive embossing machines are.

      Here's an article on the subject from MSE Money: http://money.msn.com/credit-cards/4-ways-credit-cards-are-changing

    8. Re:What about flat cards? by Em+Adespoton · · Score: 1

      My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

      I was handling non-embossed cards 20 years ago -- you know what we did? WE WROTE THE NUMBERS IN. It's not that hard. And paper copy really is the most secure method -- until the slips go through processing, at which point the physical copies go who knows where, and the information still goes via the internet to a database.

      The real reason for doing this is that this kind of processing was their cheapest option that contained minimal merchant liability.

    9. Re:What about flat cards? by whoever57 · · Score: 1

      which don't have a relief on the printed data... .... So I guess I'm not eating at Chang's tonight

      Why not? Just eat there and let PF Chang's sort out the problem that they created. You have a valid means of payment, which the restaurant states that it accepts. Let PF Chang's figure out how to process the card.

      --
      The real "Libtards" are the Libertarians!
    10. Re:What about flat cards? by onkelonkel · · Score: 1

      Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)

      --
      None of them can see the clouds; The polished wings don't care.
    11. Re:What about flat cards? by gstoddart · · Score: 1

      b) What makes you think they couldn't print a photo on an embossed card?

      I should hope nothing ... I have one it my wallet.

      --
      Lost at C:>. Found at C.
    12. Re:What about flat cards? by gstoddart · · Score: 4, Insightful

      Why keep using ancient swipe technology?

      Chip and PIN is a *much* better system.

      --
      Lost at C:>. Found at C.
    13. Re:What about flat cards? by reanjr · · Score: 1

      The imprint is for convenience only. There's nothing stopping the merchant from just writing in the info in ink pen. This is perfectly valid and will be honored by the card processor. I suppose it MIGHT take a bit more time to get processed if they're using OCR or some such thing, but most likely they hire teams of data entry drones with mad 10-key skills.

    14. Re:What about flat cards? by Razed+By+TV · · Score: 2

      A lot of chinese food isn't real chinese food. It's Americanized chinese food. Though I share your sentiment that Changs and Pei Wei seem to turn the "chinese" food experience into something else, and not in a good way.

    15. Re:What about flat cards? by NotQuiteReal · · Score: 2

      It's coming... Starting in Oct 2015 there will be "incentives" for vendors to have the means to accept them. It will still take a few more years, but it is coming.

      --
      This issue is a bit more complicated than you think.
    16. Re:What about flat cards? by iggymanz · · Score: 1

      wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.

    17. Re:What about flat cards? by plover · · Score: 1

      wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.

      Nope. The $5 an hour waiter uses the battery powered skimmer that he has in his pocket, and sells them to Jimmy the Sneak out the back door of the restaurant. Writing the numbers takes too long, and he could get caught.

      --
      John
    18. Re:What about flat cards? by Ol+Olsoc · · Score: 1

      My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

      My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.

      MY credit card company doesn't accept anything. Now that's secure!

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    19. Re:What about flat cards? by dj245 · · Score: 1

      It's coming... Starting in Oct 2015 there will be "incentives" for vendors to have the means to accept them. It will still take a few more years, but it is coming.

      Frankly it amazes me that it is so hard to find a chip and pin card in the USA now. I got a traveler-oriented credit card a couple months ago. When shopping around the chip and pin cards were really nowhere to be found, despite how useful they would be if I were to travel to Europe. It wasn't a feature high on my list though since I primarily travel to Switzerland and Japan, both of which seem to accept the chip less cards.

      --
      Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
    20. Re:What about flat cards? by Ol+Olsoc · · Score: 1

      Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)

      Yeah Chang's is the shits.

      ...and the glint of a solitary shaft of chromium steel.

      Wow, I wonder how many people her will get that one? One of their best.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    21. Re:What about flat cards? by iggymanz · · Score: 1

      nonsense, no need for any tech, copy takes less than ten seconds. friend is the one who gets caught, if anyone gets caught.

    22. Re:What about flat cards? by Ksevio · · Score: 1

      I finally got one with a chip, but it's chip and SIGN, not chip and PIN so that kind of defeats the purpose and makes it useless in other countries.

    23. Re:What about flat cards? by Sylak · · Score: 2

      Chip & sig is being rolled out by some national banks right now. Expect Target to start taking chips soon, and Wal-Mart already does.

    24. Re:What about flat cards? by Wing_Zero · · Score: 1

      We have a fallback manual Credit card machine where i work, used mainly for when the power goes out or the CC machine decides to take a dump (either can happen about twice a year) when the power comes back up, we can either

      A) Manually enter the CC# into our cash till (type the cc info into the machine by hand) or
      B) call our CC handler and read off the CC# over the phone.

      either way, the customer sees it as a normal swipe transaction on their bill. I don't see either way being anything less than worse security than the standard way.

    25. Re:What about flat cards? by mysidia · · Score: 1

      THIS is exactly why this isn't a perfect solution! Not only do they have to use ARU which is more costly per transaction, they would have to process it as card not present as they can't imprint on the card.

      They can photograph the card and prove its presence that way.

    26. Re:What about flat cards? by idommp · · Score: 1

      I also have one of the flat, credit union issued debit cards. Not only can it not be imprinted, it plainly states, in bold red letters across the top of the back of the card," FOR ELECTRONIC TRANSACTIONS ONLY". If you don't swipe the card, submit, and get approval at the point and time of purchase, you aren't getting paid.

    27. Re:What about flat cards? by jrumney · · Score: 1

      Chip & sig is being rolled out by some national banks right now.

      Chip and sig makes no sense whatsoever. The point of the PIN is that the chip will not divulge its information without a correct PIN being entered.

    28. Re:What about flat cards? by aitikin · · Score: 1

      Doesn't matter to the bank. If the customer issues a chargeback, Chang's doesn't have a leg to stand on.

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
    29. Re:What about flat cards? by Eugene · · Score: 1

      EMV chip cards does way more then just VERIFY the PIN. It can perform card authentication (card can not be counterfeit/hacked), risk management, and cardholder verification.

      If I have to guess, those Chip & Sign cards issed in US are usually signature preferring (at least some PIN methods are still availible on the card, but the setting in the card will always prefer signature unless it's not possible) and not signature only cards.

    30. Re:What about flat cards? by Eugene · · Score: 1

      those processing method are card not present transactions, and might be subject to abuse especially if all you use is the imprinting machine. the customer could then dispute that they never use the card at this location...

    31. Re:What about flat cards? by mysidia · · Score: 1

      If the customer issues a chargeback, Chang's doesn't have a leg to stand on.

      If the bank doesn't side with the merchant -- photographic evidence is sufficient for any court... Chang's can still manually send the customer a bill, ding their credit score if their meal ticket goes unpaid, and pursue other recourse: they can even add extra expenses to the debt incurred due to the chargeback, and possibly some interest charges and late fees on the debt...

    32. Re:What about flat cards? by Chelloveck · · Score: 1

      A lot of {regional} food isn't real {regional} food. It's {localized} {regional} food.

      You can fill in {regional} with any non-local region. In the US you can say it for Mexican, Thai, Italian, German, Polish... In the northern US you can say it for Southern food, and so on. It's kind of a variant of the "no true Scotsman" argument. No true Chinese person would cook like they do at PF Changs, therefore PF Changs is not true Chinese.

      --
      Chelloveck
      I give up on debugging. From now on, SIGSEGV is a feature.
    33. Re:What about flat cards? by aitikin · · Score: 1

      If the customer issues a chargeback, Chang's doesn't have a leg to stand on.

      If the bank doesn't side with the merchant -- photographic evidence is sufficient for any court...

      Bullshit. I'm in sales, my company's lost chargebacks with "photographic evidence" plenty of times. The bank sides with their client, the customer almost all the time.

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
    34. Re:What about flat cards? by coinreturn · · Score: 1

      Sorry, I have no desire to eat dog meat, fish entrails, incests, or tiger penis.

      This. As a USAian, I like so-called Americanized fare. In many places it is WAY better than the "genuine" places that a bunch of hipster doofuses think are so great for being so genuine.

  2. Non-imprintable Cards by coop999 · · Score: 2

    One of my cards was reissued without raised digits on it about 3 years ago, so this plan might not work out so well for them. Also, I wonder how many of the 19 year-olds working there's minds just got blown by the swipe machine and now know why credit cards (used to) have raised digits.

  3. No imprint? by Delarth799 · · Score: 1

    There are a lot of cards now with don't have the numbers imprinted on them. Am I going to have to manually write out my card information when I go there now because these incompetent people can't be bothered to hire a couple security people and fix the problem instead of making it inconvenient and no more secure for anybody. Also a credit card swipe is pretty much automatically processed, what kind of delay will be on the manual transactions?

  4. Chip & Pin by Anonymous Coward · · Score: 4, Insightful

    I heard the USA will finally get proper Chip & Pin cards next year ?

    I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

    1. Re:Chip & Pin by ArchieBunker · · Score: 1

      I had the same problem but when using my card in Canada. Some places would read it but most would not. Called the credit card company to bitch and nobody knew what chip and pin was.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:Chip & Pin by EvilSS · · Score: 1

      I heard the USA will finally get proper Chip & Pin cards next year ?

      I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

      Chip yes, PIN... maybe. PIN is not going to be a requirement from the credit card companies in the US, it will be left up to the individual issuing banks whether to include it or not. Supposedly it's to do with "customer acceptance" but really it's some BS around PIN payment processing vs regular CC processing networks and fees and how the new Chip & PIN transactions would be handled.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    3. Re:Chip & Pin by farble1670 · · Score: 1

      it's looking like chip & signature, not PIN. CC companies are worried that people will not remember their PIN and therefore spend less.

    4. Re:Chip & Pin by whoever57 · · Score: 1

      Some places would read it but most would not.

      I have been dealing with this in the UK for some time now. The card readers do actually have a slot for swiping cards -- it's just that the slot (on the side of the card reader) is so narrow that the cashiers don't know you can swipe a card through there.

      On my last trip, I used my new Citibank chip and signature card and that seemed to work OK, although there were some surprised cashiers as the signature slip printed out.

      --
      The real "Libtards" are the Libertarians!
    5. Re:Chip & Pin by reanjr · · Score: 1

      Signatures are typically only for larger purchases. When you buy a pack of gum with a credit card, you almost never have to supply a signature. Also, in the US we buy packs of gum with credit cards, which is not really easy to do a lot of places outside of the US, with minimum purchases requirements.

    6. Re:Chip & Pin by ArchieBunker · · Score: 1

      The ATMs give an error about my banking institution declining the transaction. Called card services a number of times and they claim no problems and don't see anything being declined. One certain ATM seems to work while most don't. Gas stations seem to read the card alright but then the grocery store couldn't. My bank's VISA card has more problems than my Mastercard. Seriously what the fuck?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    7. Re:Chip & Pin by aitikin · · Score: 1

      Minimum purchase requirements are against the agreement the organization has with the credit card company* (in the US) which is why you can pay for a pack of gum with a credit card.

      *Mind you, you'll still see plenty of smaller stores putting a minimum on purchases with CCs. They pay a larger transaction fee than big chains typically.

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
    8. Re:Chip & Pin by Richard_at_work · · Score: 1

      When a vendor accepts a transaction via anything other than chip and pin, they take on significantly more responsibility for that transaction, and thus many vendors simply choose to decline those transactions.

  5. Re:more secure? by Anonymous Coward · · Score: 5, Insightful

    > So now I can physically steal boxes of credit card numbers with signatures right at the bottom?

    Everybody understands physical security. Store the boxes in a locked closet in the managers office and the the number of people who have access is reduced to a handful of employees - all of which are also subject to our local legal system. Put the data on the network and the number of people who might have access to it is practically the entire internet, the majority of which are outside of US jurisdiction.

  6. Now That's Amusing by vomitology · · Score: 2

    A company that didn't know it was breached, doesn't know the extent of the breach, and who's answer to the breach is to revert to 40-year old tech using the phrase "If it's not obvious..."

    --
    ~Knowledge is knowing that a tomato is a fruit, but Wisdom is knowing not to put it in a fruit salad.
  7. Re:Not Clueless by Fallen+Kell · · Score: 1

    5 minutes to look in a filing cabinet? Are you kidding me? Do you know how many people would be in that filing cabinet? Something like 30-60 million, assuming they somehow know when to magically remove the ones who died.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  8. Illegal by Anonymous Coward · · Score: 1

    its illegal to use those devices in California. I thought the whole reason those were phased out was because they actually facilitated card theft...

    1. Re:Illegal by Isara · · Score: 1

      they're not illegal in California, just antiquated. they were phased out because they're not as convenient and the security on them is minimal to non-existent.

      --
      BOOP!
  9. Imprint is still allowed? by Cmdr-Absurd · · Score: 1

    I was under the impression (no pun intended) that the old-school imprint technique was declared unacceptable (in the PCI-DSS rules) a few years back.
    Perhaps the rules for securing the imprints were just so cumbersome that it made using them completely impractical. I can't imagine fast food joints maintaining the physical security required for this.

    1. Re:Imprint is still allowed? by dave562 · · Score: 1

      I was thinking something similar. Now instead of having a bunch of numbers easily accessible to thieves in a compromised POS system, they are simply going to be discarding a bunch of imprints covered in Chinese food waste.

    2. Re:Imprint is still allowed? by mirix · · Score: 1

      I haven't seen the desk-type imprint machine in ages. Must be 20 years, maybe 10 - 15 years in backwater areas.

      Though the last time I got my car towed, the driver had some sort of miniature impression rig. Which still makes sense, if you're out of range of network and whatnot...

      Also in Cuba, they had one down there. Which sorta makes sense too.

      --
      Sent from my PDP-11
    3. Re:Imprint is still allowed? by nolife · · Score: 1

      A lot of taxi drivers still do the old school impression method.

      --
      Bad boys rape our young girls but Violet gives willingly.
    4. Re:Imprint is still allowed? by Cmdr-Absurd · · Score: 2

      A bit of googling does suggest that imprints can be still used. Still, I can't imagine the security requirements being met in a fast food environment.

    5. Re:Imprint is still allowed? by hurfy · · Score: 1

      nope, we still use one for two weeks at the fairgrounds. No, I don't want to buy a smartphone and a data plan for 10 days a year. If you can't manage to not lose a handful of reciepts how the heck would a business deal with cash?

      I imagine they figured the loses from bad cards were acceptable given the circumstances. I can't see them imprinting and immediately running the card. In that case a dial-up swipe terminal makes more sense.

      They probably aren't processing the cards at all yet. Otherwise they key them into a dial-up terminal, in which case swipe makes more sense, or key them into the insecure system by hand??? Little tougher on the cash flow but few people get upset if not billed right now ;)

      The local grocery stores brought in a dial-up swipe terminal when they had the same issue. You only had one lane at the customer service counter for cards for a week!

    6. Re:Imprint is still allowed? by Cmdr-Absurd · · Score: 1

      I once went to a Staples to buy a ream of paper. Their computers were down. So they decided to close the store. Said they couldn't sell anything. Apparently, they couldn't locate any office supplies that would have allowed them to write up a sale.

  10. Re:Not Clueless by Fallen+Kell · · Score: 1

    Also, do you know how large that filing cabinet would even be? A cabinet with 18" deep drawers that is 18,182 feet high.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  11. Secure against Cylons by chiefcrash · · Score: 2

    You'll see things here that look odd, even antiquated to modern eyes, like phones with cords, awkward manual valves, computers that, well, barely deserve the name. It was all designed to operate against an enemy who could infiltrate and disrupt even the most basic computer systems. Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection...

    --
    Show me on the 1st Amendment bobblehead where the moderator touched you...
  12. Re:Not Clueless by Lab+Rat+Jason · · Score: 1

    Unfortunately this makes your Identity EASIER to steal... since filing cabinets' auditing systems are easy to bypass, and it's hard to know if the data has been accessed/stolen. The inside job is far too easy with this scenario.

    --
    Which has more power: the hammer, or the anvil?
  13. Never store sensitive data you don't need. by hey! · · Score: 5, Insightful

    Back in the 80s I worked for a company that did back office accounting systems. Then I moved to a large non-profit and was in charge of both back office and customer facing systems. This was when the Internet was for non-commercial traffic only, so "customer facing" meant a live operator at a dumb terminal hooked up to a minicomputer.

    My new employer wanted me to develop a system that would among other things take credit cards from donors and volunteers. I was pretty confident on the technical end of things, but I wasn't sure about handing the financial data. So I called in a CPA friend I'd met at my prior job, and he looked over a the design documentation for the system to make sure everything was kosher.

    "You can't store credit card information in the database," he said.

    "Why not?"

    "Because it's insecure," he said.

    "But it's convenient," I said.

    "That's the problem," he said. "Look, any of the operators will be able to look up credit card information on any donor. Some of these donors are rich. You'd be able to go on one hell of a shopping spree with just one of their credit cards."

    "What if I make it harder to look up the data?"

    "Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions. And while you're keeping it around in case you might someday have a use for it, it leaves you wide open to theft. It'd be a disaster; customers won't do business with you because your reputation will be in the toilet. Get rid of it. Get it out of the database, any logs you have, and make sure it's not in any backup tapes."

    And when I thought about it I realized he was right. There was no point in exposing my employer to risk for no real benefit. That's when I learned an important principle of security: don't hold onto sensitive data that you don't actually have a use for. I suppose you could generalize: don't keep sensitive data on any system where there is no compelling need to store it there.

    Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world. But even though it is the *norm*, that doesn't mean you should automatically do it. There's actually a use in a web store for storing credit card data which offsets the risk (which you should still minimize). There's no reason for a restaurant to store credit card information -- that's just blind habit. Waiter takes the customer credit card, runs the transaction, and hands the card back to the customer, and then restaurant no longer has the data. You can't lose what you don't have.

    Of course in this case it's probably not P.F. Chang's fault. They bought a POS system which left them open. It probably is all slick and really very helpful at keeping things moving, like maybe taking the customers card at the table. It'd be interesting to know how the POS system vendor screwed this up, because clearly they did.

    There is no encryption or security architecture that beats not having the data.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    1. Re:Never store sensitive data you don't need. by gigne · · Score: 4, Informative

      "Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world."

      Having intefgrated with several payment processing systems, I can tell you no one stores credit card information any more. At least in Europe. PCI-DSS regulations are very clear on this.

      What we have now is a token we can use. The token is returned after a payment is made. You can keep this token int he DB to allow repeat purchases. This is similar to storing the credit card, but you can only re-use that token with the single payment processor company and give the original payee that money.

      Pretty much useless for a criminal.

      The liability for leaking a cc number is now with the payment processor, and they are generally held to a higher security standard than your average chinese retaurant chain.

      --
      Signature v3.0, now with 42% less memory usage.
    2. Re:Never store sensitive data you don't need. by farble1670 · · Score: 2

      "Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions.

      your software should never even have the data at all. it should be coming off a card read encrypted and going straight to the payment processor in that fashion. if you ever keep unencrypted card data around, even if it's only in the memory of your device, it's trouble (that's how target got hit ... something was scanning their memory for things that looked like credit card data).

      and there's a lot more to it than that, not the least of which is ensuring that the hardware itself cannot be tampered with / hacked to access the CC data prior to it being encrypted.

      taking payments is a dangerous business. if you are small time it's safer to accept paypal for some other payment method that doesn't involve you handling customers' data.

    3. Re:Never store sensitive data you don't need. by Anonymous Coward · · Score: 3, Insightful

      if you didn't know the answer to that, you really should not be writing such software.

      GP knew to call someone in who was more knowledgable. If you didn't know to do that, then you really shouldn't be doing jack shit.

    4. Re:Never store sensitive data you don't need. by stinerman · · Score: 2

      I've worked with payment processing here in the States. You can store the number and the expiration date but not the CVV2. Of course, no CVV2 means higher processing fees, which means customers will ask for ways of storing the CVV2. We tell them that makes them non-compliant and they don't really care. They just want lower processing fees and pay lip service to compliance.

    5. Re:Never store sensitive data you don't need. by grep+-v+'.*'+* · · Score: 1

      There is no encryption or security architecture that beats not having the data.

      YES! I agree completely, because sometimes you just don't have the data.
      --Your Friendly IRS branch audit store. Stop by and we'll check each other out!

      After Non-Profit Application Furor, IRS Says It's Lost 2 Years Of Lois Lerner's emails

      One. Two. Three.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    6. Re:Never store sensitive data you don't need. by hey! · · Score: 1

      These were telemarketing operators who didn't have physical access to the credit card. Anyway, back in those days the data wasn't encrypted yet. So I fear I have led you to squander an insightful comment.

      It's easy for an old timer to forget that people under the age of 40 have never ordered anything over the phone. At the time I'm talking about, the web was years in the future, and it was illegal to conduct commerce over the Internet (which we called "the ARPANet"). Most businesses ran entirely on paper, and most people had never seen a computer in person. Usually in the movies or TV they'd use a 7 track tape drive as the prop "computer", although those were obsolete even then.

      So believe it or not, back then it was common to call a vendor on a phone, verbally tell him what you want, and then read off your credit card number and expiration date. This was simply the way you bought things if you weren't shopping at a bricks-and-mortar store (which we called "a store"). Nobody was worried about "identity theft" because thieves still dealt mainly in cash and transportable valuables and crooks were only just then cottoning on to the value of information.

      You could also buy stuff by writing a letter to a vendor listing what you wanted and enclosing a check or money order (which was a check you got at the post office in exchange for cash and and extra nickel). Six to eight weeks later your stuff would arrive. For some reason it was always "six to eight weeks". That's how we used to buy stuff like propeller beanies and x-ray specs from poorly printed ads in the back of comics. The x-ray specs were a bust; all they'd do is make girls think you were creepy, which was actually kind of the point. You could also send away for itching powder and books of allegedly comical retorts you were supposed to use if somebody said something that made you feel bad and you couldn't think of anything original. "May the fleas of a thousand camels infest your armpits." That material killed -- usually the kid who tried to use it.

      It was a simpler time. Kids couldn't get access to porn (which we called "dirty pictures") because they kept it on a shelf higher than we could reach. You had to know to sneak into the firehouse when the men were out on an alarm. We didn't have gaming consoles so we had to make our own fun. We'd go out in the healthy fresh air and throw rocks at each other. That was our version of a "first person shooter". Sometimes to fill up the time we'd have fist fights with kids who were a different race or religion from us. Or from the other end of the street. Or were just there. Believe me it kept you on your toes when you were walking home at night! But it wasn't hateful, it was just something to do when you don't have "Grand Theft Auto" to keep you distracted. The next day we'd be having a pickup baseball game (no adult supervision for *us*) down at the sandlot with the very same kids we'd just fought. We'd laugh, exchange insults, and swipe the other guys equipment when he wasn't looking, just as if nothing happened.

      And I swear, every word I've written here is true.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    7. Re:Never store sensitive data you don't need. by s0nicfreak · · Score: 1

      I think you may be confusing your times; by the 80s kids had Atari 2600s and Apple IIs.

    8. Re:Never store sensitive data you don't need. by hey! · · Score: 1

      Very few kids. And most of those didn't have modems. Adults often did, and they could buy things on CompuServe or AOL dialup, at 1200 baud. Not many people did, and those who did so did it more for the novelty value.

      But I did slip from 1986 to 1967 in my reminiscing. It was the comic book thing. My dad had restaurant next to a convenience store and I used to buy my comic books there.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  14. Cash ... by jamesl · · Score: 2

    ... is King.

  15. Criminal System by Tokolosh · · Score: 1

    Credit cards are a ponzi scheme, are not backed by any hard currency, cannot be used to pay taxes and are only used by drug dealers and money launderers. Oh, wait....

    --
    Prove anything by multiplying Huge Number times Tiny Number
    1. Re:Criminal System by stinerman · · Score: 1

      Of course they can be used to pay taxes. I paid the balance of my federal income tax using a credit card.

      Yes, I know...

  16. Manual imprinting, aka... by wonkey_monkey · · Score: 1

    ...the clunk-a-chunk machine.

    I know retro is in, but this is going too far.

    --
    systemd is Roko's Basilisk.
  17. Wait, what? by gstoddart · · Score: 1

    How the heck does old fashioned imprinting help me to use a debit card?

    Do these people actually not understand any of this technology?

    --
    Lost at C:>. Found at C.
    1. Re:Wait, what? by hurfy · · Score: 1

      Imprinting implies they are not billing the card immediately at all.

      Not billing your debit card at the moment is only slightly more risky than real CC. They are more likely concerned with image and customer satisfaction atm.

    2. Re:Wait, what? by gstoddart · · Score: 1

      Obviously, because it's paper. Which is not immediate.

      But, I didn't think you could do a debit transaction with just an imprint. How do you know which account? You certainly don't have my PIN.

      I'm skeptical this would even work. I've never heard of doing a debit transaction with an imprint ... it may exist, but that would surprise me.

      --
      Lost at C:>. Found at C.
    3. Re:Wait, what? by Lehk228 · · Score: 1

      most debit cards can be run as credit, if you have a usage limit on debit pin transactions you likely do not have a limit on debit/credit transactions, they are not processed instantly so you have to be smart about not spending all your money

      --
      Snowden and Manning are heroes.
    4. Re:Wait, what? by mysidia · · Score: 1

      Obviously, because it's paper. Which is not immediate.

      But, I didn't think you could do a debit transaction with just an imprint.

      It's probably not just paper. The debit card probably has a MC/Visa logo. Mastercard/Visa/Discover have or had an "authorization call center". If the magnetic stripe on a card won't work; there's a phone number the merchant is to call in. Give their merchant account number verbally; give the Credit card number, expiration date, flip the card over, and read off the 7-digit number on the signature panel.

      The authorization center will then verify the transaction is authorized, and reply with an "authorization id" that the cashier is to write on the sales form.

      They will then take an imprint of the front of the card, to prove that it was present at the time of sale.

  18. It's written in by hand by SuperBanana · · Score: 5, Insightful

    The slip's form fields align with a credit card, but that doesn't mean the waitstaff can't write it in by hand. Impressions just made it faster, and gave some limited proof of "card presence."

    Also, why would you eat at PF Changs? PF Chang's is for people too afraid (to be polite) to step into the local Asian restaurants. It's overpriced low-to-mid-tier produce/meat with a sauce that came out of a can. If you're lucky, that can says "PF Changs teriyaki sauce", not "Sysco teriyaki sauce."

    I once ate there and the waiter actually felt it necessary to tell us that "soy sauce is like salt for chinese food."

    Stop eating at chain restaurants. They suck - the food's bad, they run the local non-chains out of business - and they prey upon people who want bland consistency. Live a little. Support the local economy. Etc.

    --
    Please help metamoderate.
    1. Re:It's written in by hand by KingOfBLASH · · Score: 1

      THIS!

      REAL restaurants tend to be cheaper, and of better quality. You're smoking crack if you'd rather go to PF Changs.

    2. Re:It's written in by hand by DNS-and-BIND · · Score: 1

      People eat at PF Chang's because they want American Chinese food. Real Chinese restaurants serve dishes that nobody's ever heard of. Moreover, before you go into a PF Chang's, you know exactly what you're going to get. The local place...it's a coin toss. For the record, I hate PF Chang's and would never voluntarily eat there.

      I will never understand people who get discombobulated by the fact that other people don't agree with their choices. "Prey upon people" WTF?

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    3. Re:It's written in by hand by Lehk228 · · Score: 1

      > Moreover, before you go into a PF Chang's, you know exactly what you're going to get.

      knowing in advance that it's going to be shit, does not make it less shitty

      --
      Snowden and Manning are heroes.
    4. Re:It's written in by hand by steelfood · · Score: 1

      While I mostly agree with you, there is a market that P.F. Changs is filling that many local places cannot. Unless you're living in an area that has a good sized Chinese population, most "real" chinese food places serve items like fried chicken and egg drop soup. The rest of the menu is probably going to suck just as bad or worse.

      High end Chinese restaurants is hard to do, mostly because the majority of Americans (to no fault of their own) have long since associated Chinese food with cheap, and the "high end" Chinese food in the U.S. just doesn't cut it quality-wise for the local Chinese population (especially compared to what's found in Hong Kong or even Vancouver or Toronto) for that price. My point being, there really aren't many places that can support a decent local Chinese restaurant. But where they are present, they're certainly preferable food-wise to P.F. Changs.

      As for why Chinese people haven't started a chain like P.F. Changs already (that serves more authentic Chinese food, say), well, that's largely a cultural thing that would require several books to explain. The closest thing to that is Panda Express, and we all know what types of food they serve.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  19. Re:more secure? by plover · · Score: 3, Insightful

    Physically, you can steal one box at a time, perhaps 1000 receipts. And the thief must be physically present, and risk his ass getting caught doing so.

    Electronically, you can sit in Odessa, Ukraine, and steal 44 million accounts from every cash register at a major retailer. And the thief risks absolutely nothing, because his government is too busy fighting the Russian separatists who have taken over City Hall.

    See the difference?

    --
    John
  20. And gone by phorm · · Score: 1

    Cash, when stolen, is gone. I'd rather not go back to the days of carrying a a hundred bucks or more in my wallet when going out for the night, walking back to my car in a dimly lit street surrounded by sketchy/drunk people.

    Somebody steals my card - or card info - I cancel the card. It's done. I owe no debts so long as I watch my charges and report if something goes wrong

    Somebody steals my wallet with my card. I cancel the card. It's done. I owe no debts so long as I report the card stolen

    Somebody steal my cash.... the cash is gone, and I'm not getting it back.

  21. Re:Not Clueless by Anonymous Coward · · Score: 1

    If you are such a paranoid douche, then why the fuck are you donating blood? You know the gubbermint is really taking your blood and doing a full DNA analysis on it to find the key genome sequence that will grant Obama immortality, so he can declare himself supreme ruler for the next 300 years and enslave the rest of rest of humanity in FEMA camps as part of the Reptoid conspiracy.

  22. Re:Never heard of dumpster diving? by dgatwood · · Score: 1

    Doesn't the merchant have to send the imprint to the CC company (who presumably shreds them)? Or do you mean the carbon copy that they give you? Because that's the customer's problem. Also, the newer slips don't imprint the full card number on the copy, IIRC.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  23. Dumpster Diving by bkcallahan · · Score: 1

    So all you have to do is get the carbons from the trash now for those, like back in the 80s??

  24. Re:more secure? by LurkerXXX · · Score: 1

    When the physical security is breached, the customers at that one store with the rogue employee/thief is affected. When the records are online, you can have all the customers at many/all the stores are affected by a single breach.

  25. Re:Here we go again by coolsnowmen · · Score: 1

    Again, chip-an-pin would be less work that rolling out imprinting devices, and would be much more secure.

    Except not by PFChangs. The whole point is to be able to get money from customers, but, PF Changs's US customers don't have a CC with chip&pin. It has to come from the credit card companies.