Chinese restaurant chain P.F. Chang’s confirmed June 12 that it was the victim of a security compromise affecting its credit card payment terminals. The breach draws renewed attention to the vulnerability of point-of-sale systems and the impact of that on restaurateurs and other retailers as well as their customers.
The compromise was first alleged in a post by blogger Brian Krebbs on June 10, which is the same date the restaurant said it learned of the security incident from the U.S. Secret Service.
“We are coordinating with the United States Secret Service on an investigation to determine when the incident started and what information is involved,” P.F. Chang’s said in a statement.
Full details on the security compromise have not yet been disclosed, but it is apparent that the payment-card terminals in the restaurant were likely the point of compromise. To help protect its customers while the investigation is ongoing, Chang’s noted that its restaurants in the United States will now be using manual credit card imprinting devices to handle credit and debit card transactions.
“This allows you to use your credit and debit cards safely,” Chang’s stated.
The breach at P.F. Chang’s is not surprising to security experts.
More retail breaches will likely be discovered and reported in the next few months, Morey Haber, senior director of program management at BeyondTrust, told eWEEK. “Considering restaurants operate on very small margins, and security is not a primary concern, I am actually surprised more companies like this have not been compromised,” he said.
Philip Casesa, director of IT/service operations for security education group (ISC)2, told eWEEK that P.F. Chang’s security compromise appears to follow the same approach that attackers leveraged in the big Target breach, in which point-of-sale (POS) machines with traditionally weak security were targeted.
Target reported Dec. 13 that it was the victim of data breach that affected 70 million of its customers.
“Large retailers maintain centralized connections to these machines for updating, and an attacker can exploit that to distribute malware efficiently and collect large swaths of magnetic stripe data from the cards,” Casesa said. “Without proper detection of this malware on the retailer’s part, these breaches can run almost unfettered until the attackers have enough or their exploit window is somehow closed.”
Until security on retail point-of-sale systems becomes pervasive, attacks will continue, he added.
The fact that retailers have now been proven to be a vulnerable target will further encourage more attacks, according to Dwayne Melancon, chief technology officer at Tripwire.
“A lot of retailers don’t have information security as a core competency within their organizations, which means some of them are easier targets,” Melancon told eWEEK. “When one of those soft targets becomes a victim, criminals notice that the retail sector provides a lot of opportunity.”
Is Paper Safer?
P.F. Chang’s decision to forgo electronic payment terminals and revert to the manual imprint method isn’t necessarily a safer approach, security experts said.
A stack of imprinted cards is just as valuable as having the electronic versions and can be copied (using a copier, smart phone camera, etc.) for malicious purposes, too, Haber said.
“I can only assume P.F. Chang’s has chosen this method since the electronic system they have, has been compromised at the store level, versus a database breach on the back end,” Haber said. “This is the only method they have to still conduct business.”
P.F. Chang’s Data Breach Underscores POS System Vulnerabilities
However, Tripwire’s Melancon said going to manual imprint for credit card information is an entirely bad idea. “In terms of establishing trust after a breach, going to the use of carbon forms to gather payment information isn’t as crazy as it sounds,” he said. “After all, if you’re not sure which of your data systems you can trust, why would you put even more data into those systems?”
That said, Melancon added that going to physical collection of the card information might reduce the number of people who interact with the data because that information is no longer accessible on an open network, but it isn’t practical in the long term.
“The risk in paper-based collection is that many retailers no longer have effective processes or employee training designed to secure, monitor and control physical card slips,” Melancon said. “This means that, while a paper-based approach may reduce one specific type of risk, it doesn’t totally eliminate risk altogether; it changes the data protection problem to a different form.”
What Customers Should Do
As is the case with any retail data breach, customers should always be looking at their credit card and bank transaction statements for fraudulent charges.
“As the investigation progresses, it’s likely that issuing banks will take proactive measures to cancel cards they suspect are compromised,” Casesa said. “Banks are monitoring stolen card data sites looking for their own cards, and it’s through this mechanism that the breaches are discovered.”
P.F. Chang’s customers should request a new credit card from their credit card issuer, Haber said.
For those choosing to visit a P.F. Chang’s restaurant, Haber advises: “If you can, pay cash until their electronic system is functioning again.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.