A welcomed response, PF Chang's

Published: 2014-06-13. Last Updated: 2014-06-13 16:10:57 UTC
by Richard Porter (Version: 1)
7 comment(s)

UPDATE:

http://pfchangs.com/security/

PF Chang's has posted a public response. In Summary, Secret Service contacted them June 10th, they have confirmed the breach. Time to change CC number... 'again' :(

 

-------

 

Krebs is running a story about the recent data breach that has happened to restaurant chain PF Chang's [1]. As it so happens we decided to have lunch there today and I polled one of the managers if she had been briefed on the breach. She had been informed. 

I observed two things of note at lunch, one people were still paying with credit cards but what returned was a pleasant and welcome surprise. The bar tender placed the bill down along with a manually run credit card from one of the ole'school card imprinters [2].

The extent of the breach is still under investigation according to the general manager of the PF Chang's we frequent, and it is time to change the CC ... again ...

Maybe we should keep a breach causes CC change score board :( [3]

 

[1] http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/

[2] http://www.amazon.com/Addressogragh-Bartizan-4000-Imprinter-Without/dp/B0057YIHMM

â??[3] https://www.privacyrights.org/

 

Richard Porter

--- ISC Handler on Duty

7 comment(s)

Comments

P.F. Chang's just confirmed the card breach:

http://krebsonsecurity.com/2014/06/p-f-changs-confirms-credit-card-breach/

I mentioned this handler's entry as well. Thanks.
"there" not "their" :D
Thanks Brian... I posted the link to PF Chang's official noticed in our diary as well.
Maybe we should go back to the older system of manually run credit card systems. With the electronic CC systems every major retailer has a very large list of CC numbers instead of just the issuing organization as was the case before. There are not just a few ultra secure argets for illegally getting credit card data but the highly variable security of many thousand of targets and their millions of locations where breaches can occur.
The simply problem is that InfoSec is still immature and it's going to be a while before we reduce the frequency of this stuff happening, or at least reduce the impact of each occurrence.

But that's no reason to halt progress.
The whole problem is the crappy payment industry in the US. It is like 30+ years after Europe.

Here in Denmark, all CC payments are chip&pin. The reader/pinpad is an integrated device, which does not send any carddata, except maybe 6+4 back to the store computer. It communicates directly (internet or dial-up) with the payment provider (bank owned), using certified and validated encryption.

Internal communications inside the terminal are also supposed to be encrypted. And firmware upgrades a digitally signed.

As a retailer, who never sees the CC numbers, I do not understand why VISA and Mastercard still requires me to be PCI compliant, and pay for external audits. If they did their job good enough in certifying my payment terminals, there is absolutely no risk here.

VISA/Mastercard should demand security as in Scandinavia (Denmark/Norway/Sweden), and not crappy solutions from 1980, like seems to be the standard in the US.
Is card imprints any safer ? No, if the store write down the 3 digit code onthe back, it still has all that is needed to buy with the card. Shows the system is flawed. There is no secret part to using a credit card. Government should put all costs of fraud on CC companies, and forbid them to charge customers/stores for the fraud.

Diary Archives