A Thing
The Green SheetGreen Sheet

Friday, April 28, 2017

Chipotle doubles down on security

A data security breach at Denver-based Chipotle Mexican Grill recently roiled the quick service restaurant chain. Intruders reportedly gained access to the company's POS systems, capturing data from payment card transactions between March 24 and April 18, 2017. Chipotle has enhanced POS security and is working with its payment processor, law enforcement and forensic security experts in an ongoing investigation, company representatives stated.

"Because our investigation is continuing, complete findings are not available, and it is too early to provide further details on the investigation," read the company's April 25, 2017, statement. "We anticipate providing notification to any affected customers as we get further clarity about the specific timeframes and restaurant locations that may have been affected."

Representatives urged consumers to monitor payment card statements and report any unusual or suspicious charges to their card-issuing banks. "Payment card network rules generally state that cardholders are not responsible for such charges," the company further stated.

Industry-wide vulnerabilities

Sándor Bálint, Security Lead for Applied Data Science at Balabit, said the Chipotle breach is a reminder that credit card payments have a host of security issues. Credit card numbers, used as confidential identifiers, pass through many hands in the payment system, placing the burden of protecting consumers on merchants and payment service providers, who are challenged with dealing with this fundamental architectural flaw, he said.

Processing, storing and handling this data should be kept to an absolute minimum, he added. Organizations should treat cardholder data like nuclear waste, minimizing the number of people who "glow in the dark," Bálint said. This will reduce the scope of people and systems dealing with data (defined as the CDE, or cardholder data environment), and the costs of Payment Card Industry Data Security Standard (PCI DSS) compliance.

Bálint further recommended that organizations implement a blend of preventive, detective and corrective measures. "Even with the best intentions, and with robust controls in place, breaches may not be entirely preventable," he said. "That's why the PCI DSS has an entire chapter of requirements devoted to monitoring and testing."

When organizations detect anomalies, the time it takes to react and implement corrective measures is also critical, he noted. "If we can't prevent something but we react almost immediately when it happens, we can greatly reduce any damage that can be done," he said. "Therefore, shortening that interval between detection and response should be the goal ‒ the right tools for data collection and analysis can offer dramatic improvements and increased security."

Continued growth expected

Financial analysts do not expect Chipotle's stock price or level of consumer confidence to be affected by the security breach. Buoyed by the company's strong performance in the first quarter of 2017, as well as its appropriate responses to a tainted food incident in 2015 and the recent data security breach, investors and shareholders expect Chipotle to continue its upward mobility. The company's first-quarter net income rose from $26.4 million in 2016 to $46.1 million in 2017; the 17.8 percent increase reflects well on Chipotle's management, vision and execution, financial analysts stated.

Analysts at SunTrust Robinson Humphrey, a corporate investment bank, expect continued improvement in same-store sales due to mobile channel and digital order growth and positive reaction to a television advertising campaign launched April 10 that will run through July. "Chipotle's same-store sales accelerated in the first quarter, and we believe the drivers are in place to sustain the recovery," they stated. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing