Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices

Posted by Soulskill on from the 40-year-old-technology-will-save-us dept.

wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.

21 of 142 comments (clear)

  1. What about flat cards? by Lab+Rat+Jason · · Score: 5, Informative

    My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

    --
    Which has more power: the hammer, or the anvil?
    1. Re:What about flat cards? by ArchieBunker · · Score: 2, Informative

      You're doing yourself a favor by not eating af PF Chang's.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:What about flat cards? by EvilSS · · Score: 2

      My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

      Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

      Those raised numbers are going away. My credit union recently switched to flat cards from raised cards (raised cards were available instantly as well). Visa/MC wants to do away with imprints because they are a security risk (since they expose the entire card number on the receipt) so they dropped the embossing requirement a while back.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    3. Re:What about flat cards? by gstoddart · · Score: 4, Insightful

      Why keep using ancient swipe technology?

      Chip and PIN is a *much* better system.

      --
      Lost at C:>. Found at C.
    4. Re:What about flat cards? by Razed+By+TV · · Score: 2

      A lot of chinese food isn't real chinese food. It's Americanized chinese food. Though I share your sentiment that Changs and Pei Wei seem to turn the "chinese" food experience into something else, and not in a good way.

    5. Re:What about flat cards? by NotQuiteReal · · Score: 2

      It's coming... Starting in Oct 2015 there will be "incentives" for vendors to have the means to accept them. It will still take a few more years, but it is coming.

      --
      This issue is a bit more complicated than you think.
    6. Re:What about flat cards? by Sylak · · Score: 2

      Chip & sig is being rolled out by some national banks right now. Expect Target to start taking chips soon, and Wal-Mart already does.

  2. Non-imprintable Cards by coop999 · · Score: 2

    One of my cards was reissued without raised digits on it about 3 years ago, so this plan might not work out so well for them. Also, I wonder how many of the 19 year-olds working there's minds just got blown by the swipe machine and now know why credit cards (used to) have raised digits.

  3. Chip & Pin by Anonymous Coward · · Score: 4, Insightful

    I heard the USA will finally get proper Chip & Pin cards next year ?

    I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

  4. Re:more secure? by Anonymous Coward · · Score: 5, Insightful

    > So now I can physically steal boxes of credit card numbers with signatures right at the bottom?

    Everybody understands physical security. Store the boxes in a locked closet in the managers office and the the number of people who have access is reduced to a handful of employees - all of which are also subject to our local legal system. Put the data on the network and the number of people who might have access to it is practically the entire internet, the majority of which are outside of US jurisdiction.

  5. Now That's Amusing by vomitology · · Score: 2

    A company that didn't know it was breached, doesn't know the extent of the breach, and who's answer to the breach is to revert to 40-year old tech using the phrase "If it's not obvious..."

    --
    ~Knowledge is knowing that a tomato is a fruit, but Wisdom is knowing not to put it in a fruit salad.
  6. Secure against Cylons by chiefcrash · · Score: 2

    You'll see things here that look odd, even antiquated to modern eyes, like phones with cords, awkward manual valves, computers that, well, barely deserve the name. It was all designed to operate against an enemy who could infiltrate and disrupt even the most basic computer systems. Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection...

    --
    Show me on the 1st Amendment bobblehead where the moderator touched you...
  7. Never store sensitive data you don't need. by hey! · · Score: 5, Insightful

    Back in the 80s I worked for a company that did back office accounting systems. Then I moved to a large non-profit and was in charge of both back office and customer facing systems. This was when the Internet was for non-commercial traffic only, so "customer facing" meant a live operator at a dumb terminal hooked up to a minicomputer.

    My new employer wanted me to develop a system that would among other things take credit cards from donors and volunteers. I was pretty confident on the technical end of things, but I wasn't sure about handing the financial data. So I called in a CPA friend I'd met at my prior job, and he looked over a the design documentation for the system to make sure everything was kosher.

    "You can't store credit card information in the database," he said.

    "Why not?"

    "Because it's insecure," he said.

    "But it's convenient," I said.

    "That's the problem," he said. "Look, any of the operators will be able to look up credit card information on any donor. Some of these donors are rich. You'd be able to go on one hell of a shopping spree with just one of their credit cards."

    "What if I make it harder to look up the data?"

    "Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions. And while you're keeping it around in case you might someday have a use for it, it leaves you wide open to theft. It'd be a disaster; customers won't do business with you because your reputation will be in the toilet. Get rid of it. Get it out of the database, any logs you have, and make sure it's not in any backup tapes."

    And when I thought about it I realized he was right. There was no point in exposing my employer to risk for no real benefit. That's when I learned an important principle of security: don't hold onto sensitive data that you don't actually have a use for. I suppose you could generalize: don't keep sensitive data on any system where there is no compelling need to store it there.

    Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world. But even though it is the *norm*, that doesn't mean you should automatically do it. There's actually a use in a web store for storing credit card data which offsets the risk (which you should still minimize). There's no reason for a restaurant to store credit card information -- that's just blind habit. Waiter takes the customer credit card, runs the transaction, and hands the card back to the customer, and then restaurant no longer has the data. You can't lose what you don't have.

    Of course in this case it's probably not P.F. Chang's fault. They bought a POS system which left them open. It probably is all slick and really very helpful at keeping things moving, like maybe taking the customers card at the table. It'd be interesting to know how the POS system vendor screwed this up, because clearly they did.

    There is no encryption or security architecture that beats not having the data.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    1. Re:Never store sensitive data you don't need. by gigne · · Score: 4, Informative

      "Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world."

      Having intefgrated with several payment processing systems, I can tell you no one stores credit card information any more. At least in Europe. PCI-DSS regulations are very clear on this.

      What we have now is a token we can use. The token is returned after a payment is made. You can keep this token int he DB to allow repeat purchases. This is similar to storing the credit card, but you can only re-use that token with the single payment processor company and give the original payee that money.

      Pretty much useless for a criminal.

      The liability for leaking a cc number is now with the payment processor, and they are generally held to a higher security standard than your average chinese retaurant chain.

      --
      Signature v3.0, now with 42% less memory usage.
    2. Re:Never store sensitive data you don't need. by farble1670 · · Score: 2

      "Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions.

      your software should never even have the data at all. it should be coming off a card read encrypted and going straight to the payment processor in that fashion. if you ever keep unencrypted card data around, even if it's only in the memory of your device, it's trouble (that's how target got hit ... something was scanning their memory for things that looked like credit card data).

      and there's a lot more to it than that, not the least of which is ensuring that the hardware itself cannot be tampered with / hacked to access the CC data prior to it being encrypted.

      taking payments is a dangerous business. if you are small time it's safer to accept paypal for some other payment method that doesn't involve you handling customers' data.

    3. Re:Never store sensitive data you don't need. by Anonymous Coward · · Score: 3, Insightful

      if you didn't know the answer to that, you really should not be writing such software.

      GP knew to call someone in who was more knowledgable. If you didn't know to do that, then you really shouldn't be doing jack shit.

    4. Re:Never store sensitive data you don't need. by stinerman · · Score: 2

      I've worked with payment processing here in the States. You can store the number and the expiration date but not the CVV2. Of course, no CVV2 means higher processing fees, which means customers will ask for ways of storing the CVV2. We tell them that makes them non-compliant and they don't really care. They just want lower processing fees and pay lip service to compliance.

  8. Re:Imprint is still allowed? by Cmdr-Absurd · · Score: 2

    A bit of googling does suggest that imprints can be still used. Still, I can't imagine the security requirements being met in a fast food environment.

  9. Cash ... by jamesl · · Score: 2

    ... is King.

  10. It's written in by hand by SuperBanana · · Score: 5, Insightful

    The slip's form fields align with a credit card, but that doesn't mean the waitstaff can't write it in by hand. Impressions just made it faster, and gave some limited proof of "card presence."

    Also, why would you eat at PF Changs? PF Chang's is for people too afraid (to be polite) to step into the local Asian restaurants. It's overpriced low-to-mid-tier produce/meat with a sauce that came out of a can. If you're lucky, that can says "PF Changs teriyaki sauce", not "Sysco teriyaki sauce."

    I once ate there and the waiter actually felt it necessary to tell us that "soy sauce is like salt for chinese food."

    Stop eating at chain restaurants. They suck - the food's bad, they run the local non-chains out of business - and they prey upon people who want bland consistency. Live a little. Support the local economy. Etc.

    --
    Please help metamoderate.
  11. Re:more secure? by plover · · Score: 3, Insightful

    Physically, you can steal one box at a time, perhaps 1000 receipts. And the thief must be physically present, and risk his ass getting caught doing so.

    Electronically, you can sit in Odessa, Ukraine, and steal 44 million accounts from every cash register at a major retailer. And the thief risks absolutely nothing, because his government is too busy fighting the Russian separatists who have taken over City Hall.

    See the difference?

    --
    John