P.F. Chang's goes old school to combat fraud

Chain issues manual receipts, closing one door to fraud, opening another


All 210 P.F. Chang's China Bistro restaurants in the U.S. have dusted off old-school manual card readers and are using them in place of modern electronic point-of-sale systems to record customer payment information while the chain investigates a potentially large-scale retail data breach.

P.F. Chang's goes old school to combat fraud A statement from P.F. Chang's CEO Rick Federico warned consumers of a "security compromise" discovered June 10. It reverted to the manual recording system so "our guests can still use their credit and debit cards safely in our restaurants as our investigation continues."

Switching to a manual system was also the most readily available alternative to online payment processing when the security compromise was discovered, according to P.F. Chang's Security Update Web page.

Manual card imprinting devices, sometimes called or "knuckle busters" in reference their click-clacking sounds and sliding metal parts, make a physical impression of a card's embossed numbers and expiration date onto a carbon paper packet. The packets typically have three slips: one for the customer, one for merchant records and one to send off for payment processing. No Internet connection needed.

It's a clumsy, mostly outdated process, but if P.F. Chang's data is still leaking from an unplugged hole, switching to manual processing could prevent more damage, according to Dave Shackleford, lead faculty member at IANS security research firm.

Typical electronic point-of sale systems directly connect merchants to financial institutions or payment processors. If a network is breached, every new swipe of a card creates a centrally stored digital record a hacker can gather.

"When you use a manual transaction, there is no electronic transaction process at all," Shackleford said. "P.F. Chang's is doing this because they don't know where the breach occurred and they are not willing to take any more risk of compromise."


If you get a manual credit or debit card receipt, special precautions apply:
  • Be mindful that a manual, carbon-copy receipt carries your card's full number, expiration data and security code, so closely guard or shred it.

  • Don't expect a manually generated bill to show up on your account records instantly. Manual card processing can take a few days to process, so budget accordingly.

  • If you have questions about P.F. Chang's manual card reader system or its security incident, call its guest relations office at 877-782-6356.

While doing away with modern technology eliminates the chance of high-tech fraud, the use of manual machines reopens another, less technical window for old-style fraud. That's because a receipt generated by a knuckle-buster contains a customer's name, full credit card number and security code. A single receipt in the wrong hands has enough information for a fraudster to go on a shopping spree.

Receipts generated by modern point-of-sale terminals don't display full card information. A provision of 2003's federal Fair and Accurate Credit Transaction Act requires that electronically printed debit and credit card receipts truncate card numbers, displaying no more than the last five digits. Information about the card's expiration data can't appear on the receipts, either. Companies that electronically print card payment receipts are required to comply with this security measure. Those who hand-write or manually imprint their card receipts, such as P.F. Chang's, are exempt. They may -- and for their own payment processing purposes, must -- write out the full card number.   

In this situation, the pros of manual card reader systems likely outweigh the cons, Shackleford said.

"Yes, it's still an avenue for fraud, but I think that's all part of P.F. Chang's calculated risk with this approach," he said. "Fraud conducted under a manual system lies in the hands of the individuals handling the paper slips. From P.F. Chang's perspective, they would probably rather deal with an isolated incident of fraud versus a continued, widespread compromise resulting from electronically intercepted data."

In response to concerns about the storage of such sensitive information-heavy receipts, an update posted to P.F. Chang's security webpage states that, "P.F. Chang's is handling the storage and destruction of these slips according to the data protection processes required by the credit and debit card companies." This means that under the Payment Card Industry Data Security Standards, if P.F. Chang's stores the hard copy receipts after processing, it is responsible for blocking out at least all but the last four digits of customer card numbers and the entire security number, storing them securely and then shredding the receipts upon final disposal. 

So, as long as P.F. Chang's is complying with PCI standards, the window for manual credit card receipt fraud is limited to before the transaction is processed.

To speed up manual payment processing, P.F. Chang's has also delivered one dial-up card reader to each continental U.S. restaurant that will be plugged into fax lines and used to process the slips.

Shackleford said this technology would be an appropriate but still outdated way to transmit card information for batch processing quickly while still avoiding wide area Internet networks.

"Think fax machine scanning," he said.

Consumers who want to avoid the manual card imprinting process can request to have their card processed via the dial-up card reader. "It may take just a bit longer," the restaurant warns on its security breach page. P.F. Chang's says it will add more dial-up card reader terminals to each of its stores "as soon as possible, and once we are able to do this, our goal is to phase out the manual credit card imprinting."

See related: Poll: As card fraud rises, so do false alarms, 4 ways crooks cash in on your personal and financial data

Published: June 19, 2014

Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Follow Us

Updated: 10-26-2016

Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.