P.F. Chang's Data Breach Underscores POS System Vulnerabilities

NEWS ANALYSIS: Restaurant chain P.F. Chang's is now using manual imprinting of credit cards, but is that any safer?

P.F. Chang's security breach

Chinese restaurant chain P.F. Chang's confirmed June 12 that it was the victim of a security compromise affecting its credit card payment terminals. The breach draws renewed attention to the vulnerability of point-of-sale systems and the impact of that on restaurateurs and other retailers as well as their customers.

The compromise was first alleged in a post by blogger Brian Krebbs on June 10, which is the same date the restaurant said it learned of the security incident from the U.S. Secret Service.

"We are coordinating with the United States Secret Service on an investigation to determine when the incident started and what information is involved," P.F. Chang's said in a statement.

Full details on the security compromise have not yet been disclosed, but it is apparent that the payment-card terminals in the restaurant were likely the point of compromise. To help protect its customers while the investigation is ongoing, Chang's noted that its restaurants in the United States will now be using manual credit card imprinting devices to handle credit and debit card transactions.

"This allows you to use your credit and debit cards safely," Chang's stated.

The breach at P.F. Chang's is not surprising to security experts.

More retail breaches will likely be discovered and reported in the next few months, Morey Haber, senior director of program management at BeyondTrust, told eWEEK. "Considering restaurants operate on very small margins, and security is not a primary concern, I am actually surprised more companies like this have not been compromised," he said.

Philip Casesa, director of IT/service operations for security education group (ISC)2, told eWEEK that P.F. Chang's security compromise appears to follow the same approach that attackers leveraged in the big Target breach, in which point-of-sale (POS) machines with traditionally weak security were targeted.

Target reported Dec. 13 that it was the victim of data breach that affected 70 million of its customers.

"Large retailers maintain centralized connections to these machines for updating, and an attacker can exploit that to distribute malware efficiently and collect large swaths of magnetic stripe data from the cards," Casesa said. "Without proper detection of this malware on the retailer's part, these breaches can run almost unfettered until the attackers have enough or their exploit window is somehow closed."

Until security on retail point-of-sale systems becomes pervasive, attacks will continue, he added.

The fact that retailers have now been proven to be a vulnerable target will further encourage more attacks, according to Dwayne Melancon, chief technology officer at Tripwire.

"A lot of retailers don't have information security as a core competency within their organizations, which means some of them are easier targets," Melancon told eWEEK. "When one of those soft targets becomes a victim, criminals notice that the retail sector provides a lot of opportunity."

Is Paper Safer?

P.F. Chang's decision to forgo electronic payment terminals and revert to the manual imprint method isn't necessarily a safer approach, security experts said.

A stack of imprinted cards is just as valuable as having the electronic versions and can be copied (using a copier, smart phone camera, etc.) for malicious purposes, too, Haber said.

"I can only assume P.F. Chang's has chosen this method since the electronic system they have, has been compromised at the store level, versus a database breach on the back end," Haber said. "This is the only method they have to still conduct business."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.