Friday, June 27, 2014
In a June 12, 2014, statement, P.F. Chang's Chief Executive Officer Rick Federico stated that two days earlier the chain learned of the breach from the United States Secret Service and initiated an investigation with the help of an unnamed third-party forensics investigator. Federico said that credit and debit card data had been "stolen from some of our restaurants," indicating that the breach may have been limited in scope.
However, data security reporter Brian Krebs, who broke the story on June 10, 2014, reported that the breach began around Sept. 18, 2013, and had been operating for about nine months before its termination in June. Based on the length of the breach and the amount of sales P.F. Chang's disclosed on a 2012 quarterly financial statement, Krebs conjectured on his blog, KrebsonSecurity, that the breach impacted at least 7 million cards.
Security experts have remarked on the similarities between the notorious Target Corp. breach that occurred over the 2013 holiday season and the P.F. Chang's breach. In the Target breach, malware was reportedly installed on the big-box retailer's back-end servers, allowing payment card data to be surreptitiously harvested from POS terminals and transmitted to fraudsters who then put up the card data for sale on online black market sites. Krebs noted that payment card data from the P.F. Chang's breach showed up for sale on the same black market clearing house, Rescator, that sold card data stolen in the Target breach.
At press time, P.F. Chang's was apparently still using the imprinters, seen by security experts as a logical, if short-term, solution to ensure no more card numbers are stolen. Yet the practice raises another security issue − how those carbon copies of card numbers are being stored.
It is ironic that in order to safeguard patrons' debit and credit card accounts, the restaurant chain is storing hard copies of account numbers, which is the very practice frowned upon by the payments industry's data security governing body, the PCI Security Standards Council (PCI SSC).
Karisse Hendrick, Industry Specialist at the MRC, the Seattle-based payment and risk association for e-commerce merchants, pointed out that the physical POS environment remains the most vulnerable avenue for fraud. "It does seem like the largest breaches are occurring on POS intrusions," she said.
Hendrick noted that in the online realm, retailers have instituted layers of security to protect sensitive data, as prescribed by the PCI SSC's regulations. In the brick-and-mortar world, however, businesses are still playing catch up. "A lot of the POS software was written in the '80s and so getting those [systems] updated is a challenge," she said.
Despite the implementation of EMV chip card schemes to replace security-deficient mag stripe technology, fraud will not be curtailed, according to Hendrick. "Even with EMV coming out, unfortunately, the same types of malware attacks on POS systems that are occurring now can still happen post-EMV conversion," she said.
Hendrick stated that EMV will be effective in reducing the counterfeiting of cards because fraudsters will no longer be able to replicate cards by encoding blank mag stripe cards with stolen card numbers. Thus, data thieves will not be able to employ dummy cards at to steal millions of dollars from ATMs and millions more from retailers in the form of goods and services illicitly purchased at physical POSs.
However, EMV will not stop fraudsters from stealing data at the physical POS, via malware for instance, and then using the stolen data online. "You're going to have millions of credit card numbers and [fraudsters will] not be able to recirculate them through the card-present environment," Hendrick said. "So our concern is that they are going to all go to e-commerce to use these fraudulent transactions."
Despite these concerns, Hendrick reported encouraging news on the e-commerce front. "E-commerce in general has gotten so vigilant in identifying and preventing fraud on stolen card numbers that it's much harder for [fraudsters] to turn around and use those stolen numbers in an e-commerce environment," she said.
MRC provides services for a membership of just under 400 e-commerce firms in North America and Europe, including PayPal Inc., Square Inc., Apple Inc., Google Inc., Facebook Inc. and numerous large e-retailers.
Hendrick said MRC members report 47 percent less fraud than non-MRC members, partly because the companies recognize open communication is critical in combating fraud. She added that fighting fraud is the one area where fiercely competitive companies can find common ground and a common purpose. "Sometimes it's introducing competitors to each other," Hendrick said. "And they can share open information with each other because not one of them wants fraud."
On an anonymous basis, MRC shares information with its members about businesses that have been compromised. Hendrick also said the association is keen on preparing its members, just in case. "I think it's really important for merchants to say we can't just think it's going to happen to everyone else," she noted.
Among the MRC's recommendations is that companies generate form letters beforehand that they can send out to customers if and when businesses are compromised, "so you don't have to go through the whole process while everyone is in a panic," Hendrick said.
The MRC also advised that businesses should have call centers on retainer so they can be ready for potential call spikes from breach-affected customers, as well as have public relations firms on speed dial. Hendrick said the point of preparation is to ensure merchants who experience breaches are not caught flat-footed and can minimize the type of PR nightmare and reputational damage that happened to Target.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
