P.F. Chang's goes old school to combat fraud
Chain issues manual receipts, closing one door to fraud, opening another
By Sienna Kossman | Published: June 19, 2014
All 210 P.F. Chang's China Bistro restaurants in the U.S. have dusted off old-school manual card readers and are using them in place of modern electronic point-of-sale systems to record customer payment information while the chain investigates a potentially large-scale retail data breach.
A statement from P.F. Chang's CEO Rick Federico warned consumers of a "security compromise" discovered June 10. It reverted to the manual recording system so "our guests can still use their credit and debit cards safely in our restaurants as our investigation continues."
Switching to a manual system was also the most readily available alternative to online payment processing when the security compromise was discovered, according to P.F. Chang's Security Update Web page.
Manual card imprinting devices, sometimes called or "knuckle busters" in reference their click-clacking sounds and sliding metal parts, make a physical impression of a card's embossed numbers and expiration date onto a carbon paper packet. The packets typically have three slips: one for the customer, one for merchant records and one to send off for payment processing. No Internet connection needed.
It's a clumsy, mostly outdated process, but if P.F. Chang's data is still leaking from an unplugged hole, switching to manual processing could prevent more damage, according to Dave Shackleford, lead faculty member at IANS security research firm.
Typical electronic point-of sale systems directly connect merchants to financial institutions or payment processors. If a network is breached, every new swipe of a card creates a centrally stored digital record a hacker can gather.
"When you use a manual transaction, there is no electronic transaction process at all," Shackleford said. "P.F. Chang's is doing this because they don't know where the breach occurred and they are not willing to take any more risk of compromise."
TIPS TO GUARD
MANUAL CREDIT CARD RECEIPTS
If you get a manual credit or debit card receipt, special precautions apply:
While doing away with modern technology eliminates the chance of high-tech fraud, the use of manual machines reopens another, less technical window for old-style fraud. That's because a receipt generated by a knuckle-buster contains a customer's name, full credit card number and security code. A single receipt in the wrong hands has enough information for a fraudster to go on a shopping spree.
Receipts generated by modern point-of-sale terminals don't display full card information. A provision of 2003's federal Fair and Accurate Credit Transaction Act requires that electronically printed debit and credit card receipts truncate card numbers, displaying no more than the last five digits. Information about the card's expiration data can't appear on the receipts, either. Companies that electronically print card payment receipts are required to comply with this security measure. Those who hand-write or manually imprint their card receipts, such as P.F. Chang's, are exempt. They may -- and for their own payment processing purposes, must -- write out the full card number.
In this situation, the pros of manual card reader systems likely outweigh the cons, Shackleford said.
"Yes, it's still an avenue for fraud, but I think that's all part of P.F. Chang's calculated risk with this approach," he said. "Fraud conducted under a manual system lies in the hands of the individuals handling the paper slips. From P.F. Chang's perspective, they would probably rather deal with an isolated incident of fraud versus a continued, widespread compromise resulting from electronically intercepted data."
In response to concerns about the storage of such sensitive information-heavy receipts, an update posted to P.F. Chang's security webpage states that, "P.F. Chang's is handling the storage and destruction of these slips according to the data protection processes required by the credit and debit card companies." This means that under the Payment Card Industry Data Security Standards, if P.F. Chang's stores the hard copy receipts after processing, it is responsible for blocking out at least all but the last four digits of customer card numbers and the entire security number, storing them securely and then shredding the receipts upon final disposal.
So, as long as P.F. Chang's is complying with PCI standards, the window for manual credit card receipt fraud is limited to before the transaction is processed.
To speed up manual payment processing, P.F. Chang's has also delivered one dial-up card reader to each continental U.S. restaurant that will be plugged into fax lines and used to process the slips.
Shackleford said this technology would be an appropriate but still outdated way to transmit card information for batch processing quickly while still avoiding wide area Internet networks.
"Think fax machine scanning," he said.
Consumers who want to avoid the manual card imprinting process can request to have their card processed via the dial-up card reader. "It may take just a bit longer," the restaurant warns on its security breach page. P.F. Chang's says it will add more dial-up card reader terminals to each of its stores "as soon as possible, and once we are able to do this, our goal is to phase out the manual credit card imprinting."
- Court hears arguments on CFPB constitutionality – The D.C. Circuit Court of Appeals hearing Wednesday sets the stage for a decision that could reduce the independence and power of the federal consumer watchdog agency ...
- 6 steps to take when a credit card holder dies – The task of notifying issuers, closing accounts can easily be pushed aside ...
- Suspect card fraud? How to file a claim – What to do when you spot a suspicious charge on your credit or debit card ...