Research and Statistics

P.F. Chang’s goes old school to combat fraud


P.F. Chang’s China Bistro restaurants in the U.S. have dusted off old-school manual card readers to use while the chain investigates a potentially large-scale data breach

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs. Terms apply to the offers listed on this page.

All 210 P.F. Chang’s China Bistro restaurants in the U.S. have dusted off old-school manual card readers and are using them in place of modern electronic point-of-sale systems to record customer payment information while the chain investigates a potentially large-scale retail data breach.

P.F. Chang's goes old school to combat fraud A statement from P.F. Chang’s CEO Rick Federico warned consumers of a “security compromise” discovered June 10. It reverted to the manual recording system so “our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.”

Switching to a manual system was also the most readily available alternative to online payment processing when the security compromise was discovered, according to P.F. Chang’s Security Update Web page.

Manual card imprinting devices, sometimes called or “knuckle busters” in reference their click-clacking sounds and sliding metal parts, make a physical impression of a card’s embossed numbers and expiration date onto a carbon paper packet. The packets typically have three slips: one for the customer, one for merchant records and one to send off for payment processing. No Internet connection needed.

It’s a clumsy, mostly outdated process, but if P.F. Chang’s data is still leaking from an unplugged hole, switching to manual processing could prevent more damage, according to Dave Shackleford, lead faculty member at IANS security research firm.

Typical electronic point-of sale systems directly connect merchants to financial institutions or payment processors. If a network is breached, every new swipe of a card creates a centrally stored digital record a hacker can gather.

“When you use a manual transaction, there is no electronic transaction process at all,” Shackleford said. “P.F. Chang’s is doing this because they don’t know where the breach occurred and they are not willing to take any more risk of compromise.”

If you get a manual credit or debit card receipt, special precautions apply:

    • Be mindful that a manual, carbon-copy receipt carries your card’s full number, expiration data and security code, so closely guard or shred it.


    • Don’t expect a manually generated bill to show up on your account records instantly. Manual card processing can take a few days to process, so budget accordingly.


  • If you have questions about P.F. Chang’s manual card reader system or its security incident, call its guest relations office at 877-782-6356.

While doing away with modern technology eliminates the chance of high-tech fraud, the use of manual machines reopens another, less technical window for old-style fraud. That’s because a receipt generated by a knuckle-buster contains a customer’s name, full credit card number and security code. A single receipt in the wrong hands has enough information for a fraudster to go on a shopping spree.

Receipts generated by modern point-of-sale terminals don’t display full card information. A provision of 2003’s federal Fair and Accurate Credit Transaction Act requires that electronically printed debit and credit card receipts truncate card numbers, displaying no more than the last five digits. Information about the card’s expiration data can’t appear on the receipts, either. Companies that electronically print card payment receipts are required to comply with this security measure. Those who hand-write or manually imprint their card receipts, such as P.F. Chang’s, are exempt. They may — and for their own payment processing purposes, must — write out the full card number.

In this situation, the pros of manual card reader systems likely outweigh the cons, Shackleford said.

“Yes, it’s still an avenue for fraud, but I think that’s all part of P.F. Chang’s calculated risk with this approach,” he said. “Fraud conducted under a manual system lies in the hands of the individuals handling the paper slips. From P.F. Chang’s perspective, they would probably rather deal with an isolated incident of fraud versus a continued, widespread compromise resulting from electronically intercepted data.”

In response to concerns about the storage of such sensitive information-heavy receipts, an update posted to P.F. Chang’s security webpage states that, “P.F. Chang’s is handling the storage and destruction of these slips according to the data protection processes required by the credit and debit card companies.” This means that under the Payment Card Industry Data Security Standards, if P.F. Chang’s stores the hard copy receipts after processing, it is responsible for blocking out at least all but the last four digits of customer card numbers and the entire security number, storing them securely and then shredding the receipts upon final disposal.

So, as long as P.F. Chang’s is complying with PCI standards, the window for manual credit card receipt fraud is limited to before the transaction is processed.

To speed up manual payment processing, P.F. Chang’s has also delivered one dial-up card reader to each continental U.S. restaurant that will be plugged into fax lines and used to process the slips.

Shackleford said this technology would be an appropriate but still outdated way to transmit card information for batch processing quickly while still avoiding wide area Internet networks.

“Think fax machine scanning,” he said.

Consumers who want to avoid the manual card imprinting process can request to have their card processed via the dial-up card reader. “It may take just a bit longer,” the restaurant warns on its security breach page. P.F. Chang’s says it will add more dial-up card reader terminals to each of its stores “as soon as possible, and once we are able to do this, our goal is to phase out the manual credit card imprinting.”

See related: Poll: As card fraud rises, so do false alarms, 4 ways crooks cash in on your personal and financial data

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Research and Statistics

Poll: As card fraud rises, so do false alarms

As data breaches soar, so do credit card fraud false alarms that block or flag legitimate credit card transactions, says a new poll

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more