Jason's Deli confirms RAM-scraper attack

It was news no merchant wants to hear. Family-owned Jason's Deli, which operates 275 delis in 28 states, received notice on Dec. 22, 2017, that a large quantity of payment card information associated with the business was for sale on the Dark Web. Law enforcement, a threat response team and forensic experts began investigating immediately and recently reported a breach had, indeed, occurred. It began June 8, 2017, and jeopardized the credit card information of approximately 2 million Jason's Deli customers.

Criminals gained access by using RAM-scraping malware at POS terminals at some, but not all, Jason's Deli locations. RAM-scraper attacks take advantage of a vulnerability that occurs during processing at the POS terminal. POS terminals are mini computers with card readers. Thus, they typically have permanent storage in hard drives or flash memory, and temporary storage in random access memory (RAM).

Vigilance required

The Payment Card Industry (PCI) Data Security Standard (DSS), devised to protect payment card data and the systems that process that information, is complex and difficult for many busy merchants to understand. For some time, the PCI DSS has explicitly required that merchants encrypt card data both residing on permanent storage and traversing their publicly accessible networks, but it has not mandated encryption for data in RAM, where it must be briefly decrypted for processing. That is where many fraudsters have accessed data from merchants who believed themselves to be PCI compliant.

As Jason's Deli and other merchants have learned, data security requires vigilance. Encryption is essential, but so is keeping unauthorized parties and their malware out of networks responsible for safeguarding personal data. Merchants are expected to keep abreast of ongoing and developing threats and employ network upgrades and software patches to address system vulnerabilities as needed.

Jason's Deli stated that the breach has now been contained and the malware disabled at all locations where it was discovered. Visit www.jasonsdeli.com/data-breach for further details. To help merchants with ongoing education on data security, acquaint them with the PCI Security Standards Council's website, www.pcisecuritystandards.org .

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.