Forgot your password?
typodupeerror
Security

Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices 142

Posted by Soulskill
from the 40-year-old-technology-will-save-us dept.
wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.
This discussion has been archived. No new comments can be posted.

Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices

Comments Filter:
  • by Lab Rat Jason (2495638) on Friday June 13, 2014 @06:09PM (#47233335)
    My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight
    • Re: (Score:1, Redundant)

      by jrmcferren (935335)

      THIS is exactly why this isn't a perfect solution! Not only do they have to use ARU which is more costly per transaction, they would have to process it as card not present as they can't imprint on the card. If I had mod points I would mod the parent up.

      • jrmcferren is not in the sudoers file. This incident will be reported.

      • by mysidia (191772)

        THIS is exactly why this isn't a perfect solution! Not only do they have to use ARU which is more costly per transaction, they would have to process it as card not present as they can't imprint on the card.

        They can photograph the card and prove its presence that way.

        • by aitikin (909209)
          Doesn't matter to the bank. If the customer issues a chargeback, Chang's doesn't have a leg to stand on.
          • by mysidia (191772)

            If the customer issues a chargeback, Chang's doesn't have a leg to stand on.

            If the bank doesn't side with the merchant -- photographic evidence is sufficient for any court... Chang's can still manually send the customer a bill, ding their credit score if their meal ticket goes unpaid, and pursue other recourse: they can even add extra expenses to the debt incurred due to the chargeback, and possibly some interest charges and late fees on the debt...

            • by aitikin (909209)

              If the customer issues a chargeback, Chang's doesn't have a leg to stand on.

              If the bank doesn't side with the merchant -- photographic evidence is sufficient for any court...

              Bullshit. I'm in sales, my company's lost chargebacks with "photographic evidence" plenty of times. The bank sides with their client, the customer almost all the time.

    • Re: (Score:2, Informative)

      by sribe (304414)

      My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

      Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

      • Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.
        • by sribe (304414)

          Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.

          a) My name is embossed on the card.

          b) What makes you think they couldn't print a photo on an embossed card?

          • by gstoddart (321705)

            b) What makes you think they couldn't print a photo on an embossed card?

            I should hope nothing ... I have one it my wallet.

      • by EvilSS (557649)

        My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

        Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

        Those raised numbers are going away. My credit union recently switched to flat cards from raised cards (raised cards were available instantly as well). Visa/MC wants to do away with imprints because they are a security risk (since they expose the entire card number on the receipt) so they dropped the embossing requirement a while back.

      • by lag10 (667114)

        Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

        That may be the case, but it's a moot point considering that some cards received in the mail (such as Discover IT cards) are now switching to flat printed (unembossed) formats. It's no longer an issue of how expensive embossing machines are.

        Here's an article on the subject from MSE Money: http://money.msn.com/credit-cards/4-ways-credit-cards-are-changing [msn.com]

    • Re: (Score:3, Informative)

      by ArchieBunker (132337)

      You're doing yourself a favor by not eating af PF Chang's.

    • My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

      My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.

      • by Ol Olsoc (1175323)

        My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

        My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.

        MY credit card company doesn't accept anything. Now that's secure!

      • by Wing_Zero (692394)
        We have a fallback manual Credit card machine where i work, used mainly for when the power goes out or the CC machine decides to take a dump (either can happen about twice a year) when the power comes back up, we can either

        A) Manually enter the CC# into our cash till (type the cc info into the machine by hand) or
        B) call our CC handler and read off the CC# over the phone.

        either way, the customer sees it as a normal swipe transaction on their bill. I don't see either way being anything less than worse
        • by Eugene (6671)

          those processing method are card not present transactions, and might be subject to abuse especially if all you use is the imprinting machine. the customer could then dispute that they never use the card at this location...

    • My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

      I was handling non-embossed cards 20 years ago -- you know what we did? WE WROTE THE NUMBERS IN. It's not that hard. And paper copy really is the most secure method -- until the slips go through processing, at which point the physical copies go who knows where, and the information still goes via the internet to a database.

      The real reason for doing this is that this kind of processing was their cheapest option that contained minimal merchant liability.

      • by iggymanz (596061)

        wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.

        • by plover (150551)

          wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.

          Nope. The $5 an hour waiter uses the battery powered skimmer that he has in his pocket, and sells them to Jimmy the Sneak out the back door of the restaurant. Writing the numbers takes too long, and he could get caught.

          • by iggymanz (596061)

            nonsense, no need for any tech, copy takes less than ten seconds. friend is the one who gets caught, if anyone gets caught.

    • by whoever57 (658626)

      which don't have a relief on the printed data... .... So I guess I'm not eating at Chang's tonight

      Why not? Just eat there and let PF Chang's sort out the problem that they created. You have a valid means of payment, which the restaurant states that it accepts. Let PF Chang's figure out how to process the card.

    • Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)
      • A lot of chinese food isn't real chinese food. It's Americanized chinese food. Though I share your sentiment that Changs and Pei Wei seem to turn the "chinese" food experience into something else, and not in a good way.
        • by Chelloveck (14643)

          A lot of {regional} food isn't real {regional} food. It's {localized} {regional} food.

          You can fill in {regional} with any non-local region. In the US you can say it for Mexican, Thai, Italian, German, Polish... In the northern US you can say it for Southern food, and so on. It's kind of a variant of the "no true Scotsman" argument. No true Chinese person would cook like they do at PF Changs, therefore PF Changs is not true Chinese.

      • by Ol Olsoc (1175323)

        Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)

        Yeah Chang's is the shits.

        ...and the glint of a solitary shaft of chromium steel.

        Wow, I wonder how many people her will get that one? One of their best.

    • by reanjr (588767)

      The imprint is for convenience only. There's nothing stopping the merchant from just writing in the info in ink pen. This is perfectly valid and will be honored by the card processor. I suppose it MIGHT take a bit more time to get processed if they're using OCR or some such thing, but most likely they hire teams of data entry drones with mad 10-key skills.

    • by SuperBanana (662181) on Friday June 13, 2014 @08:16PM (#47234023)

      The slip's form fields align with a credit card, but that doesn't mean the waitstaff can't write it in by hand. Impressions just made it faster, and gave some limited proof of "card presence."

      Also, why would you eat at PF Changs? PF Chang's is for people too afraid (to be polite) to step into the local Asian restaurants. It's overpriced low-to-mid-tier produce/meat with a sauce that came out of a can. If you're lucky, that can says "PF Changs teriyaki sauce", not "Sysco teriyaki sauce."

      I once ate there and the waiter actually felt it necessary to tell us that "soy sauce is like salt for chinese food."

      Stop eating at chain restaurants. They suck - the food's bad, they run the local non-chains out of business - and they prey upon people who want bland consistency. Live a little. Support the local economy. Etc.

      • THIS!

        REAL restaurants tend to be cheaper, and of better quality. You're smoking crack if you'd rather go to PF Changs.

      • People eat at PF Chang's because they want American Chinese food. Real Chinese restaurants serve dishes that nobody's ever heard of. Moreover, before you go into a PF Chang's, you know exactly what you're going to get. The local place...it's a coin toss. For the record, I hate PF Chang's and would never voluntarily eat there.

        I will never understand people who get discombobulated by the fact that other people don't agree with their choices. "Prey upon people" WTF?

        • by Lehk228 (705449)
          > Moreover, before you go into a PF Chang's, you know exactly what you're going to get.

          knowing in advance that it's going to be shit, does not make it less shitty
      • by steelfood (895457)

        While I mostly agree with you, there is a market that P.F. Changs is filling that many local places cannot. Unless you're living in an area that has a good sized Chinese population, most "real" chinese food places serve items like fried chicken and egg drop soup. The rest of the menu is probably going to suck just as bad or worse.

        High end Chinese restaurants is hard to do, mostly because the majority of Americans (to no fault of their own) have long since associated Chinese food with cheap, and the "high en

    • by idommp (134503)
      I also have one of the flat, credit union issued debit cards. Not only can it not be imprinted, it plainly states, in bold red letters across the top of the back of the card," FOR ELECTRONIC TRANSACTIONS ONLY". If you don't swipe the card, submit, and get approval at the point and time of purchase, you aren't getting paid.
  • One of my cards was reissued without raised digits on it about 3 years ago, so this plan might not work out so well for them. Also, I wonder how many of the 19 year-olds working there's minds just got blown by the swipe machine and now know why credit cards (used to) have raised digits.
  • There are a lot of cards now with don't have the numbers imprinted on them. Am I going to have to manually write out my card information when I go there now because these incompetent people can't be bothered to hire a couple security people and fix the problem instead of making it inconvenient and no more secure for anybody. Also a credit card swipe is pretty much automatically processed, what kind of delay will be on the manual transactions?
  • Chip & Pin (Score:4, Insightful)

    by Anonymous Coward on Friday June 13, 2014 @06:18PM (#47233385)

    I heard the USA will finally get proper Chip & Pin cards next year ?

    I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

    • I had the same problem but when using my card in Canada. Some places would read it but most would not. Called the credit card company to bitch and nobody knew what chip and pin was.

      • by whoever57 (658626)

        Some places would read it but most would not.

        I have been dealing with this in the UK for some time now. The card readers do actually have a slot for swiping cards -- it's just that the slot (on the side of the card reader) is so narrow that the cashiers don't know you can swipe a card through there.

        On my last trip, I used my new Citibank chip and signature card and that seemed to work OK, although there were some surprised cashiers as the signature slip printed out.

        • The ATMs give an error about my banking institution declining the transaction. Called card services a number of times and they claim no problems and don't see anything being declined. One certain ATM seems to work while most don't. Gas stations seem to read the card alright but then the grocery store couldn't. My bank's VISA card has more problems than my Mastercard. Seriously what the fuck?

          • When a vendor accepts a transaction via anything other than chip and pin, they take on significantly more responsibility for that transaction, and thus many vendors simply choose to decline those transactions.

    • by EvilSS (557649)

      I heard the USA will finally get proper Chip & Pin cards next year ?

      I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

      Chip yes, PIN... maybe. PIN is not going to be a requirement from the credit card companies in the US, it will be left up to the individual issuing banks whether to include it or not. Supposedly it's to do with "customer acceptance" but really it's some BS around PIN payment processing vs regular CC processing networks and fees and how the new Chip & PIN transactions would be handled.

    • it's looking like chip & signature, not PIN. CC companies are worried that people will not remember their PIN and therefore spend less.

    • by reanjr (588767)

      Signatures are typically only for larger purchases. When you buy a pack of gum with a credit card, you almost never have to supply a signature. Also, in the US we buy packs of gum with credit cards, which is not really easy to do a lot of places outside of the US, with minimum purchases requirements.

      • by aitikin (909209)
        Minimum purchase requirements are against the agreement the organization has with the credit card company* (in the US) which is why you can pay for a pack of gum with a credit card.

        *Mind you, you'll still see plenty of smaller stores putting a minimum on purchases with CCs. They pay a larger transaction fee than big chains typically.
  • A company that didn't know it was breached, doesn't know the extent of the breach, and who's answer to the breach is to revert to 40-year old tech using the phrase "If it's not obvious..."
  • by Anonymous Coward

    its illegal to use those devices in California. I thought the whole reason those were phased out was because they actually facilitated card theft...

    • by Isara (869637)
      they're not illegal in California, just antiquated. they were phased out because they're not as convenient and the security on them is minimal to non-existent.
  • I was under the impression (no pun intended) that the old-school imprint technique was declared unacceptable (in the PCI-DSS rules) a few years back.
    Perhaps the rules for securing the imprints were just so cumbersome that it made using them completely impractical. I can't imagine fast food joints maintaining the physical security required for this.
    • by dave562 (969951)

      I was thinking something similar. Now instead of having a bunch of numbers easily accessible to thieves in a compromised POS system, they are simply going to be discarding a bunch of imprints covered in Chinese food waste.

    • by mirix (1649853)

      I haven't seen the desk-type imprint machine in ages. Must be 20 years, maybe 10 - 15 years in backwater areas.

      Though the last time I got my car towed, the driver had some sort of miniature impression rig. Which still makes sense, if you're out of range of network and whatnot...

      Also in Cuba, they had one down there. Which sorta makes sense too.

    • by nolife (233813)

      A lot of taxi drivers still do the old school impression method.

    • by hurfy (735314)

      nope, we still use one for two weeks at the fairgrounds. No, I don't want to buy a smartphone and a data plan for 10 days a year. If you can't manage to not lose a handful of reciepts how the heck would a business deal with cash?

      I imagine they figured the loses from bad cards were acceptable given the circumstances. I can't see them imprinting and immediately running the card. In that case a dial-up swipe terminal makes more sense.

      They probably aren't processing the cards at all yet. Otherwise they key the

  • You'll see things here that look odd, even antiquated to modern eyes, like phones with cords, awkward manual valves, computers that, well, barely deserve the name. It was all designed to operate against an enemy who could infiltrate and disrupt even the most basic computer systems. Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection...
  • by hey! (33014) on Friday June 13, 2014 @06:45PM (#47233543) Homepage Journal

    Back in the 80s I worked for a company that did back office accounting systems. Then I moved to a large non-profit and was in charge of both back office and customer facing systems. This was when the Internet was for non-commercial traffic only, so "customer facing" meant a live operator at a dumb terminal hooked up to a minicomputer.

    My new employer wanted me to develop a system that would among other things take credit cards from donors and volunteers. I was pretty confident on the technical end of things, but I wasn't sure about handing the financial data. So I called in a CPA friend I'd met at my prior job, and he looked over a the design documentation for the system to make sure everything was kosher.

    "You can't store credit card information in the database," he said.

    "Why not?"

    "Because it's insecure," he said.

    "But it's convenient," I said.

    "That's the problem," he said. "Look, any of the operators will be able to look up credit card information on any donor. Some of these donors are rich. You'd be able to go on one hell of a shopping spree with just one of their credit cards."

    "What if I make it harder to look up the data?"

    "Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions. And while you're keeping it around in case you might someday have a use for it, it leaves you wide open to theft. It'd be a disaster; customers won't do business with you because your reputation will be in the toilet. Get rid of it. Get it out of the database, any logs you have, and make sure it's not in any backup tapes."

    And when I thought about it I realized he was right. There was no point in exposing my employer to risk for no real benefit. That's when I learned an important principle of security: don't hold onto sensitive data that you don't actually have a use for. I suppose you could generalize: don't keep sensitive data on any system where there is no compelling need to store it there.

    Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world. But even though it is the *norm*, that doesn't mean you should automatically do it. There's actually a use in a web store for storing credit card data which offsets the risk (which you should still minimize). There's no reason for a restaurant to store credit card information -- that's just blind habit. Waiter takes the customer credit card, runs the transaction, and hands the card back to the customer, and then restaurant no longer has the data. You can't lose what you don't have.

    Of course in this case it's probably not P.F. Chang's fault. They bought a POS system which left them open. It probably is all slick and really very helpful at keeping things moving, like maybe taking the customers card at the table. It'd be interesting to know how the POS system vendor screwed this up, because clearly they did.

    There is no encryption or security architecture that beats not having the data.

    • by gigne (990887) on Friday June 13, 2014 @07:00PM (#47233635) Homepage Journal

      "Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world."

      Having intefgrated with several payment processing systems, I can tell you no one stores credit card information any more. At least in Europe. PCI-DSS regulations are very clear on this.

      What we have now is a token we can use. The token is returned after a payment is made. You can keep this token int he DB to allow repeat purchases. This is similar to storing the credit card, but you can only re-use that token with the single payment processor company and give the original payee that money.

      Pretty much useless for a criminal.

      The liability for leaking a cc number is now with the payment processor, and they are generally held to a higher security standard than your average chinese retaurant chain.

      • by stinerman (812158)

        I've worked with payment processing here in the States. You can store the number and the expiration date but not the CVV2. Of course, no CVV2 means higher processing fees, which means customers will ask for ways of storing the CVV2. We tell them that makes them non-compliant and they don't really care. They just want lower processing fees and pay lip service to compliance.

    • "You can't store credit card information in the database," he said.

      if you didn't know the answer to that, you really should not be writing such software.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        if you didn't know the answer to that, you really should not be writing such software.

        GP knew to call someone in who was more knowledgable. If you didn't know to do that, then you really shouldn't be doing jack shit.

    • "Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions.

      your software should never even have the data at all. it should be coming off a card read encrypted and going straight to the payment processor in that fashion. if you ever keep unencrypted card data around, even if it's only in the memory of your device, it's trouble (that's how target got hit ... something was scanning their memory for things that looked like credit card data).

      and there's a lot more to it than that, not the least of which is ensuring that the hardware itself cannot be tampered with / hack

      • by hey! (33014)

        These were telemarketing operators who didn't have physical access to the credit card. Anyway, back in those days the data wasn't encrypted yet. So I fear I have led you to squander an insightful comment.

        It's easy for an old timer to forget that people under the age of 40 have never ordered anything over the phone. At the time I'm talking about, the web was years in the future, and it was illegal to conduct commerce over the Internet (which we called "the ARPANet"). Most businesses ran entirely on paper,

        • I think you may be confusing your times; by the 80s kids had Atari 2600s and Apple IIs.
          • by hey! (33014)

            Very few kids. And most of those didn't have modems. Adults often did, and they could buy things on CompuServe or AOL dialup, at 1200 baud. Not many people did, and those who did so did it more for the novelty value.

            But I did slip from 1986 to 1967 in my reminiscing. It was the comic book thing. My dad had restaurant next to a convenience store and I used to buy my comic books there.

    • There is no encryption or security architecture that beats not having the data.

      YES! I agree completely, because sometimes you just don't have the data.
      --Your Friendly IRS branch audit store. Stop by and we'll check each other out!

      After Non-Profit Application Furor, IRS Says It's Lost 2 Years Of Lois Lerner's emails [slashdot.org]

      One. [slashdot.org] Two. [slashdot.org] Three. [slashdot.org]

  • by jamesl (106902) on Friday June 13, 2014 @06:52PM (#47233591)

    ... is King.

    • Cash, when stolen, is gone. I'd rather not go back to the days of carrying a a hundred bucks or more in my wallet when going out for the night, walking back to my car in a dimly lit street surrounded by sketchy/drunk people.

      Somebody steals my card - or card info - I cancel the card. It's done. I owe no debts so long as I watch my charges and report if something goes wrong

      Somebody steals my wallet with my card. I cancel the card. It's done. I owe no debts so long as I report the card stolen

      Somebody steal my

  • Nobody handles cards like that anymore. So. Let's put an ad on Craigslist in the "gigs" section. Then we can have some guy who says he has a work permit (honestly) drive them over to his mama's house on the East side of town. He'll scan them with her XP machine so they can get onto the network.

  • Credit cards are a ponzi scheme, are not backed by any hard currency, cannot be used to pay taxes and are only used by drug dealers and money launderers. Oh, wait....

    • by stinerman (812158)

      Of course they can be used to pay taxes. I paid the balance of my federal income tax using a credit card.

      Yes, I know...

  • ...the clunk-a-chunk machine.

    I know retro is in, but this is going too far.

  • How the heck does old fashioned imprinting help me to use a debit card?

    Do these people actually not understand any of this technology?

    • by hurfy (735314)

      Imprinting implies they are not billing the card immediately at all.

      Not billing your debit card at the moment is only slightly more risky than real CC. They are more likely concerned with image and customer satisfaction atm.

      • by gstoddart (321705)

        Obviously, because it's paper. Which is not immediate.

        But, I didn't think you could do a debit transaction with just an imprint. How do you know which account? You certainly don't have my PIN.

        I'm skeptical this would even work. I've never heard of doing a debit transaction with an imprint ... it may exist, but that would surprise me.

        • by Lehk228 (705449)
          most debit cards can be run as credit, if you have a usage limit on debit pin transactions you likely do not have a limit on debit/credit transactions, they are not processed instantly so you have to be smart about not spending all your money
        • by mysidia (191772)

          Obviously, because it's paper. Which is not immediate.

          But, I didn't think you could do a debit transaction with just an imprint.

          It's probably not just paper. The debit card probably has a MC/Visa logo. Mastercard/Visa/Discover have or had an "authorization call center". If the magnetic stripe on a card won't work; there's a phone number the merchant is to call in. Give their merchant account number verbally; give the Credit card number, expiration date, flip the card over, and read off the 7-d

  • So all you have to do is get the carbons from the trash now for those, like back in the 80s??

Order and simplification are the first steps toward mastery of a subject -- the actual enemy is the unknown. -- Thomas Mann

Working...