Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices 142
wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.
Re: (Score:2)
Doesn't the merchant have to send the imprint to the CC company (who presumably shreds them)? Or do you mean the carbon copy that they give you? Because that's the customer's problem. Also, the newer slips don't imprint the full card number on the copy, IIRC.
Re:more secure? (Score:5, Insightful)
> So now I can physically steal boxes of credit card numbers with signatures right at the bottom?
Everybody understands physical security. Store the boxes in a locked closet in the managers office and the the number of people who have access is reduced to a handful of employees - all of which are also subject to our local legal system. Put the data on the network and the number of people who might have access to it is practically the entire internet, the majority of which are outside of US jurisdiction.
Re: (Score:2)
When the physical security is breached, the customers at that one store with the rogue employee/thief is affected. When the records are online, you can have all the customers at many/all the stores are affected by a single breach.
Re:more secure? (Score:4, Insightful)
Physically, you can steal one box at a time, perhaps 1000 receipts. And the thief must be physically present, and risk his ass getting caught doing so.
Electronically, you can sit in Odessa, Ukraine, and steal 44 million accounts from every cash register at a major retailer. And the thief risks absolutely nothing, because his government is too busy fighting the Russian separatists who have taken over City Hall.
See the difference?
What about flat cards? (Score:5, Informative)
Re: (Score:1, Redundant)
THIS is exactly why this isn't a perfect solution! Not only do they have to use ARU which is more costly per transaction, they would have to process it as card not present as they can't imprint on the card. If I had mod points I would mod the parent up.
Re: (Score:1)
jrmcferren is not in the sudoers file. This incident will be reported.
Re: (Score:2)
THIS is exactly why this isn't a perfect solution! Not only do they have to use ARU which is more costly per transaction, they would have to process it as card not present as they can't imprint on the card.
They can photograph the card and prove its presence that way.
Re: (Score:2)
Re: (Score:2)
If the customer issues a chargeback, Chang's doesn't have a leg to stand on.
If the bank doesn't side with the merchant -- photographic evidence is sufficient for any court... Chang's can still manually send the customer a bill, ding their credit score if their meal ticket goes unpaid, and pursue other recourse: they can even add extra expenses to the debt incurred due to the chargeback, and possibly some interest charges and late fees on the debt...
Re: (Score:2)
If the customer issues a chargeback, Chang's doesn't have a leg to stand on.
If the bank doesn't side with the merchant -- photographic evidence is sufficient for any court...
Bullshit. I'm in sales, my company's lost chargebacks with "photographic evidence" plenty of times. The bank sides with their client, the customer almost all the time.
Re: (Score:2, Informative)
My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.
Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.
Re: (Score:1)
Re: (Score:2)
Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.
a) My name is embossed on the card.
b) What makes you think they couldn't print a photo on an embossed card?
Re: (Score:2)
I should hope nothing ... I have one it my wallet.
Re: (Score:3)
My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.
Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.
Those raised numbers are going away. My credit union recently switched to flat cards from raised cards (raised cards were available instantly as well). Visa/MC wants to do away with imprints because they are a security risk (since they expose the entire card number on the receipt) so they dropped the embossing requirement a while back.
Re:What about flat cards? (Score:5, Insightful)
Why keep using ancient swipe technology?
Chip and PIN is a *much* better system.
Re: (Score:3)
Re: (Score:2)
It's coming... Starting in Oct 2015 there will be "incentives" for vendors to have the means to accept them. It will still take a few more years, but it is coming.
Frankly it amazes me that it is so hard to find a chip and pin card in the USA now. I got a traveler-oriented credit card a couple months ago. When shopping around the chip and pin cards were really nowhere to be found, despite how useful they would be if I were to travel to Europe. It wasn't a feature high on my list though since I primarily travel to Switzerland and Japan, both of which seem to accept the chip less cards.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Chip and sig makes no sense whatsoever. The point of the PIN is that the chip will not divulge its information without a correct PIN being entered.
Re: (Score:2)
EMV chip cards does way more then just VERIFY the PIN. It can perform card authentication (card can not be counterfeit/hacked), risk management, and cardholder verification.
If I have to guess, those Chip & Sign cards issed in US are usually signature preferring (at least some PIN methods are still availible on the card, but the setting in the card will always prefer signature unless it's not possible) and not signature only cards.
Re: (Score:2)
Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.
That may be the case, but it's a moot point considering that some cards received in the mail (such as Discover IT cards) are now switching to flat printed (unembossed) formats. It's no longer an issue of how expensive embossing machines are.
Here's an article on the subject from MSE Money: http://money.msn.com/credit-cards/4-ways-credit-cards-are-changing [msn.com]
Re: (Score:3, Informative)
You're doing yourself a favor by not eating af PF Chang's.
Re: (Score:2)
My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight
My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.
Re: (Score:2)
My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight
My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.
MY credit card company doesn't accept anything. Now that's secure!
Re: (Score:1)
A) Manually enter the CC# into our cash till (type the cc info into the machine by hand) or
B) call our CC handler and read off the CC# over the phone.
either way, the customer sees it as a normal swipe transaction on their bill. I don't see either way being anything less than worse
Re: (Score:2)
those processing method are card not present transactions, and might be subject to abuse especially if all you use is the imprinting machine. the customer could then dispute that they never use the card at this location...
Re: (Score:1)
My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight
I was handling non-embossed cards 20 years ago -- you know what we did? WE WROTE THE NUMBERS IN. It's not that hard. And paper copy really is the most secure method -- until the slips go through processing, at which point the physical copies go who knows where, and the information still goes via the internet to a database.
The real reason for doing this is that this kind of processing was their cheapest option that contained minimal merchant liability.
Re: (Score:2)
wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.
Re: (Score:2)
wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.
Nope. The $5 an hour waiter uses the battery powered skimmer that he has in his pocket, and sells them to Jimmy the Sneak out the back door of the restaurant. Writing the numbers takes too long, and he could get caught.
Re: (Score:2)
nonsense, no need for any tech, copy takes less than ten seconds. friend is the one who gets caught, if anyone gets caught.
Re: (Score:2)
Why not? Just eat there and let PF Chang's sort out the problem that they created. You have a valid means of payment, which the restaurant states that it accepts. Let PF Chang's figure out how to process the card.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
A lot of {regional} food isn't real {regional} food. It's {localized} {regional} food.
You can fill in {regional} with any non-local region. In the US you can say it for Mexican, Thai, Italian, German, Polish... In the northern US you can say it for Southern food, and so on. It's kind of a variant of the "no true Scotsman" argument. No true Chinese person would cook like they do at PF Changs, therefore PF Changs is not true Chinese.
Re: (Score:2)
Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)
Yeah Chang's is the shits.
Wow, I wonder how many people her will get that one? One of their best.
Re: (Score:2)
Sorry, I have no desire to eat dog meat, fish entrails, incests, or tiger penis.
This. As a USAian, I like so-called Americanized fare. In many places it is WAY better than the "genuine" places that a bunch of hipster doofuses think are so great for being so genuine.
Re: (Score:2)
The imprint is for convenience only. There's nothing stopping the merchant from just writing in the info in ink pen. This is perfectly valid and will be honored by the card processor. I suppose it MIGHT take a bit more time to get processed if they're using OCR or some such thing, but most likely they hire teams of data entry drones with mad 10-key skills.
It's written in by hand (Score:5, Insightful)
The slip's form fields align with a credit card, but that doesn't mean the waitstaff can't write it in by hand. Impressions just made it faster, and gave some limited proof of "card presence."
Also, why would you eat at PF Changs? PF Chang's is for people too afraid (to be polite) to step into the local Asian restaurants. It's overpriced low-to-mid-tier produce/meat with a sauce that came out of a can. If you're lucky, that can says "PF Changs teriyaki sauce", not "Sysco teriyaki sauce."
I once ate there and the waiter actually felt it necessary to tell us that "soy sauce is like salt for chinese food."
Stop eating at chain restaurants. They suck - the food's bad, they run the local non-chains out of business - and they prey upon people who want bland consistency. Live a little. Support the local economy. Etc.
Re: (Score:2)
THIS!
REAL restaurants tend to be cheaper, and of better quality. You're smoking crack if you'd rather go to PF Changs.
Re: (Score:2)
People eat at PF Chang's because they want American Chinese food. Real Chinese restaurants serve dishes that nobody's ever heard of. Moreover, before you go into a PF Chang's, you know exactly what you're going to get. The local place...it's a coin toss. For the record, I hate PF Chang's and would never voluntarily eat there.
I will never understand people who get discombobulated by the fact that other people don't agree with their choices. "Prey upon people" WTF?
Re: (Score:2)
knowing in advance that it's going to be shit, does not make it less shitty
Re: (Score:2)
While I mostly agree with you, there is a market that P.F. Changs is filling that many local places cannot. Unless you're living in an area that has a good sized Chinese population, most "real" chinese food places serve items like fried chicken and egg drop soup. The rest of the menu is probably going to suck just as bad or worse.
High end Chinese restaurants is hard to do, mostly because the majority of Americans (to no fault of their own) have long since associated Chinese food with cheap, and the "high en
Re: (Score:1)
Non-imprintable Cards (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
If you are such a paranoid douche, then why the fuck are you donating blood? You know the gubbermint is really taking your blood and doing a full DNA analysis on it to find the key genome sequence that will grant Obama immortality, so he can declare himself supreme ruler for the next 300 years and enslave the rest of rest of humanity in FEMA camps as part of the Reptoid conspiracy.
No imprint? (Score:2)
Chip & Pin (Score:4, Insightful)
I heard the USA will finally get proper Chip & Pin cards next year ?
I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.
Re: (Score:2)
I had the same problem but when using my card in Canada. Some places would read it but most would not. Called the credit card company to bitch and nobody knew what chip and pin was.
Re: (Score:2)
I have been dealing with this in the UK for some time now. The card readers do actually have a slot for swiping cards -- it's just that the slot (on the side of the card reader) is so narrow that the cashiers don't know you can swipe a card through there.
On my last trip, I used my new Citibank chip and signature card and that seemed to work OK, although there were some surprised cashiers as the signature slip printed out.
Re: (Score:2)
The ATMs give an error about my banking institution declining the transaction. Called card services a number of times and they claim no problems and don't see anything being declined. One certain ATM seems to work while most don't. Gas stations seem to read the card alright but then the grocery store couldn't. My bank's VISA card has more problems than my Mastercard. Seriously what the fuck?
Re: (Score:2)
When a vendor accepts a transaction via anything other than chip and pin, they take on significantly more responsibility for that transaction, and thus many vendors simply choose to decline those transactions.
Re: (Score:2)
I heard the USA will finally get proper Chip & Pin cards next year ?
I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.
Chip yes, PIN... maybe. PIN is not going to be a requirement from the credit card companies in the US, it will be left up to the individual issuing banks whether to include it or not. Supposedly it's to do with "customer acceptance" but really it's some BS around PIN payment processing vs regular CC processing networks and fees and how the new Chip & PIN transactions would be handled.
Re: (Score:2)
it's looking like chip & signature, not PIN. CC companies are worried that people will not remember their PIN and therefore spend less.
Re: (Score:2)
Signatures are typically only for larger purchases. When you buy a pack of gum with a credit card, you almost never have to supply a signature. Also, in the US we buy packs of gum with credit cards, which is not really easy to do a lot of places outside of the US, with minimum purchases requirements.
Re: (Score:2)
*Mind you, you'll still see plenty of smaller stores putting a minimum on purchases with CCs. They pay a larger transaction fee than big chains typically.
Now That's Amusing (Score:2)
Illegal (Score:1)
its illegal to use those devices in California. I thought the whole reason those were phased out was because they actually facilitated card theft...
Re: (Score:1)
Imprint is still allowed? (Score:2)
Perhaps the rules for securing the imprints were just so cumbersome that it made using them completely impractical. I can't imagine fast food joints maintaining the physical security required for this.
Re: (Score:2)
I was thinking something similar. Now instead of having a bunch of numbers easily accessible to thieves in a compromised POS system, they are simply going to be discarding a bunch of imprints covered in Chinese food waste.
Re: (Score:2)
I haven't seen the desk-type imprint machine in ages. Must be 20 years, maybe 10 - 15 years in backwater areas.
Though the last time I got my car towed, the driver had some sort of miniature impression rig. Which still makes sense, if you're out of range of network and whatnot...
Also in Cuba, they had one down there. Which sorta makes sense too.
Re: (Score:1)
A lot of taxi drivers still do the old school impression method.
Re: (Score:2)
nope, we still use one for two weeks at the fairgrounds. No, I don't want to buy a smartphone and a data plan for 10 days a year. If you can't manage to not lose a handful of reciepts how the heck would a business deal with cash?
I imagine they figured the loses from bad cards were acceptable given the circumstances. I can't see them imprinting and immediately running the card. In that case a dial-up swipe terminal makes more sense.
They probably aren't processing the cards at all yet. Otherwise they key the
Re: (Score:3)
Re: (Score:2)
Secure against Cylons (Score:2)
Never store sensitive data you don't need. (Score:5, Insightful)
Back in the 80s I worked for a company that did back office accounting systems. Then I moved to a large non-profit and was in charge of both back office and customer facing systems. This was when the Internet was for non-commercial traffic only, so "customer facing" meant a live operator at a dumb terminal hooked up to a minicomputer.
My new employer wanted me to develop a system that would among other things take credit cards from donors and volunteers. I was pretty confident on the technical end of things, but I wasn't sure about handing the financial data. So I called in a CPA friend I'd met at my prior job, and he looked over a the design documentation for the system to make sure everything was kosher.
"You can't store credit card information in the database," he said.
"Why not?"
"Because it's insecure," he said.
"But it's convenient," I said.
"That's the problem," he said. "Look, any of the operators will be able to look up credit card information on any donor. Some of these donors are rich. You'd be able to go on one hell of a shopping spree with just one of their credit cards."
"What if I make it harder to look up the data?"
"Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions. And while you're keeping it around in case you might someday have a use for it, it leaves you wide open to theft. It'd be a disaster; customers won't do business with you because your reputation will be in the toilet. Get rid of it. Get it out of the database, any logs you have, and make sure it's not in any backup tapes."
And when I thought about it I realized he was right. There was no point in exposing my employer to risk for no real benefit. That's when I learned an important principle of security: don't hold onto sensitive data that you don't actually have a use for. I suppose you could generalize: don't keep sensitive data on any system where there is no compelling need to store it there.
Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world. But even though it is the *norm*, that doesn't mean you should automatically do it. There's actually a use in a web store for storing credit card data which offsets the risk (which you should still minimize). There's no reason for a restaurant to store credit card information -- that's just blind habit. Waiter takes the customer credit card, runs the transaction, and hands the card back to the customer, and then restaurant no longer has the data. You can't lose what you don't have.
Of course in this case it's probably not P.F. Chang's fault. They bought a POS system which left them open. It probably is all slick and really very helpful at keeping things moving, like maybe taking the customers card at the table. It'd be interesting to know how the POS system vendor screwed this up, because clearly they did.
There is no encryption or security architecture that beats not having the data.
Re:Never store sensitive data you don't need. (Score:5, Informative)
"Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world."
Having intefgrated with several payment processing systems, I can tell you no one stores credit card information any more. At least in Europe. PCI-DSS regulations are very clear on this.
What we have now is a token we can use. The token is returned after a payment is made. You can keep this token int he DB to allow repeat purchases. This is similar to storing the credit card, but you can only re-use that token with the single payment processor company and give the original payee that money.
Pretty much useless for a criminal.
The liability for leaking a cc number is now with the payment processor, and they are generally held to a higher security standard than your average chinese retaurant chain.
Re: (Score:3)
I've worked with payment processing here in the States. You can store the number and the expiration date but not the CVV2. Of course, no CVV2 means higher processing fees, which means customers will ask for ways of storing the CVV2. We tell them that makes them non-compliant and they don't really care. They just want lower processing fees and pay lip service to compliance.
Re: (Score:1)
"You can't store credit card information in the database," he said.
if you didn't know the answer to that, you really should not be writing such software.
Re: (Score:3, Insightful)
if you didn't know the answer to that, you really should not be writing such software.
GP knew to call someone in who was more knowledgable. If you didn't know to do that, then you really shouldn't be doing jack shit.
Re: (Score:3)
"Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions.
your software should never even have the data at all. it should be coming off a card read encrypted and going straight to the payment processor in that fashion. if you ever keep unencrypted card data around, even if it's only in the memory of your device, it's trouble (that's how target got hit ... something was scanning their memory for things that looked like credit card data).
and there's a lot more to it than that, not the least of which is ensuring that the hardware itself cannot be tampered with / hack
Re: (Score:2)
These were telemarketing operators who didn't have physical access to the credit card. Anyway, back in those days the data wasn't encrypted yet. So I fear I have led you to squander an insightful comment.
It's easy for an old timer to forget that people under the age of 40 have never ordered anything over the phone. At the time I'm talking about, the web was years in the future, and it was illegal to conduct commerce over the Internet (which we called "the ARPANet"). Most businesses ran entirely on paper,
Re: (Score:2)
Re: (Score:2)
Very few kids. And most of those didn't have modems. Adults often did, and they could buy things on CompuServe or AOL dialup, at 1200 baud. Not many people did, and those who did so did it more for the novelty value.
But I did slip from 1986 to 1967 in my reminiscing. It was the comic book thing. My dad had restaurant next to a convenience store and I used to buy my comic books there.
Re: (Score:1)
There is no encryption or security architecture that beats not having the data.
YES! I agree completely, because sometimes you just don't have the data.
--Your Friendly IRS branch audit store. Stop by and we'll check each other out!
After Non-Profit Application Furor, IRS Says It's Lost 2 Years Of Lois Lerner's emails [slashdot.org]
One. [slashdot.org] Two. [slashdot.org] Three. [slashdot.org]
Cash ... (Score:3)
And gone (Score:1)
Cash, when stolen, is gone. I'd rather not go back to the days of carrying a a hundred bucks or more in my wallet when going out for the night, walking back to my car in a dimly lit street surrounded by sketchy/drunk people.
Somebody steals my card - or card info - I cancel the card. It's done. I owe no debts so long as I watch my charges and report if something goes wrong
Somebody steals my wallet with my card. I cancel the card. It's done. I owe no debts so long as I report the card stolen
Somebody steal my
So then what? (Score:1)
Nobody handles cards like that anymore. So. Let's put an ad on Craigslist in the "gigs" section. Then we can have some guy who says he has a work permit (honestly) drive them over to his mama's house on the East side of town. He'll scan them with her XP machine so they can get onto the network.
Criminal System (Score:2)
Credit cards are a ponzi scheme, are not backed by any hard currency, cannot be used to pay taxes and are only used by drug dealers and money launderers. Oh, wait....
Re: (Score:2)
Of course they can be used to pay taxes. I paid the balance of my federal income tax using a credit card.
Yes, I know...
Manual imprinting, aka... (Score:2)
...the clunk-a-chunk machine.
I know retro is in, but this is going too far.
Wait, what? (Score:2)
How the heck does old fashioned imprinting help me to use a debit card?
Do these people actually not understand any of this technology?
Re: (Score:2)
Imprinting implies they are not billing the card immediately at all.
Not billing your debit card at the moment is only slightly more risky than real CC. They are more likely concerned with image and customer satisfaction atm.
Re: (Score:2)
Obviously, because it's paper. Which is not immediate.
But, I didn't think you could do a debit transaction with just an imprint. How do you know which account? You certainly don't have my PIN.
I'm skeptical this would even work. I've never heard of doing a debit transaction with an imprint ... it may exist, but that would surprise me.
Re: (Score:2)
Re: (Score:2)
Obviously, because it's paper. Which is not immediate.
But, I didn't think you could do a debit transaction with just an imprint.
It's probably not just paper. The debit card probably has a MC/Visa logo. Mastercard/Visa/Discover have or had an "authorization call center". If the magnetic stripe on a card won't work; there's a phone number the merchant is to call in. Give their merchant account number verbally; give the Credit card number, expiration date, flip the card over, and read off the 7-d
Dumpster Diving (Score:1)
So all you have to do is get the carbons from the trash now for those, like back in the 80s??
Re: (Score:2)
Again, chip-an-pin would be less work that rolling out imprinting devices, and would be much more secure.
Except not by PFChangs. The whole point is to be able to get money from customers, but, PF Changs's US customers don't have a CC with chip&pin. It has to come from the credit card companies.