GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Compliance: a costly, multi-headed monster

Patti Murphy


Industry Update

Cross promotions roll on VisaNet rails

Lucky7Coin bad luck for Cryptsy

New checks target mobile deposit fraud

Downstream networks detect Wendy's breach


Millennials and the payments game

Managing digital stakes


Your strongest, weakest LinkedIn

Dale S. Laszig
DSL Direct LLC

The outlook for payments: Five questions

Greg Cohen
iPayment Inc.


Street SmartsSM:
Know your customer acquisition costs

Jeffrey I. Shavitz
TrafficJamming LLC

EMV: Where we stand, where we're heading

John Buchanan

Understand and honor confidentiality

Adam Atlas
Attorney at Law

Targeting retail SMEs can kill your ISO's value

Adam Hark

Company Profile


New Products

Mobile CRM powers automotive, marine industries

Brandable, wearable, secure payment platform


Sales gardening 101


Readers Speak

Letter from the editors

ISOMetrics: Cybersecurity pressure cooker

Boost Your Biz

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 22, 2016  •  Issue 16:02:02

previous next

Downstream networks detect Wendy's breach

Numerous consumers who used credit cards at Midwest and Northeast locations of The Wendy's Co. in the latter part of 2015 were notified by their card issuing banks of a potential data security breach. Wendy's, a publicly traded company established in 1969 and headquartered in Dublin, Ohio, is the world's third largest fast food enterprise, with 6,500 corporate and franchise locations in 30 countries.

Company spokesman Bob Bertini advised news media that fraudulent charges began to appear elsewhere after the cards were legitimately used at some Wendy's restaurants. "Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident," he said. "We have hired a cybersecurity firm to assist, but are not disclosing the name at this point."

Proactive, preventive banks

Payments and security analysts credit bank fraud departments that monitor suspicious activities and security researchers who monitor black market trends for detecting the fraudulent transactions. Convergence of these two lines of effort proved a formidable force, parsing records from aggregated data to find the common denominator, which in this case clearly showed that all of the compromised payment cards had been used at select Wendy's locations.

"Ideally, we'd like to see merchant organizations detecting incidents proactively," said Jim Wherry, Information Security Analyst at Redhawk Network Security LLC. "In this case, though, from what we know, the issue was brought to light through the combined work of various fraud detection groups."

Forewarned, forearmed merchants

Wherry, a Certified Information Security Systems Professional and Payment Card Industry Qualified Security Assessor, noted that while fraud detection groups did their jobs, Redhawk advocates strongly for the empowerment of individual merchants. "They need to develop capabilities to detect intrusions before they become breaches down the line," he said.

Vann Abernethy, Senior Technical Expert at network security provider NSFOCUS IB, said, "This incident is another that should serve as a wake-up call for companies, the payment card industry and consumers alike. Many banks have been rolling out new chip-based cards (EMV) recently. This is a good step in the right direction for preventing card information theft and duplication, and adding an additional authentication factor would be even better." Abernethy cautioned consumers who visited Wendy's in affected areas to monitor credit card activity daily for suspicious activities.

Encryption, tokenization needed

Abernethy emphasized the need for merchants to implement end-to-end encryption and tokenization at the POS. He urged retailers to have a plan in place and not to wait to take action until a data breach occurs. "No plan can cover everything, but having a plan and executing on it goes a long way," he stated. Abernethy further noted that Europay, MasterCard and Visa (EMV) technology employs a one-time unique authentication factor designed to prevent payment card duplication. Having a secondary factor such as a personal identification number can add a secondary layer of protection. He advised retailers to protect cardholder data from the moment a card is read at the POS and throughout its journey to the card issuer for verification. End-to-end (E2E) encryption that begins at the card reader would go a long way to protecting systemic vulnerabilities, he added.   "Retailers should also remember that just because the primary payment transaction points are as secure as they can make them does not mean the data is not seeping out through another route, especially if there is no E2E encryption," Abernethy said. "Constant vigilance is needed to look for rogue executables, odd open ports and more." Redhawk's Wherry added, "Much can be said about chip-and-signature technology and potential weak points, but the real takeaway from the Wendy's data breach is how it appears to have been detected."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.