P.F. Chang's post-breach move to manual processing is telling

It suggests the company still doesn't know what happened

The decision by P.F. Chang's China Bistro to switch to manual payment processing after a recent data breach at the restaurant chain is unusual, security experts said this week. But it's understandable.

In a statement Thursday, P.F. Chang's confirmed that someone had broken into its payment systems and accessed credit and debit card data belonging to customers. The U.S. Secret Service alerted P.F. Chang's of the security compromise on Tuesday and a subsequent investigation uncovered the breach, the company said.

As a precautionary measure, P.F. Chang's has moved to a manual credit card imprinting system for all of its restaurants in the U.S. Customers can continue using their credit and debit cards as usual while the company conducts an investigation.

An FAQ with the statement noted that P.F. Chang's has provided manual credit card imprinters to all of its franchise operations in the U.S. to prevent any further compromise of customer information.

The decision stands out because few companies have resorted to manual processing after a breach, at least recently. Even companies like Target that suffered massive breaches have typically continued using their payment systems while working through investigations.

The P.F. Chang's move suggests the company is having a hard time figuring out what happened, said Mike Lloyd, CTO at security vendor RedSeal Networks.

"This reaction from PF Chang's is external evidence of an internal truth: modern business infrastructure is complicated," Lloyd said. "When bad things happen, it's hard to figure out what is wrong, where and why." Clearly, the company no longer trusts its infrastructure, he said.

Dwayne Melancon, CTO at Tripwire, said the restaurant chain's move make sense if it doesn't know which systems to trust. "After all, if you are not sure which of your data systems you can trust, why would you risk putting even more data into those systems?"

Moving to physical collection of card information can reduce access and opportunity, because the information is no longer accessible on an open network -- but only for the short term, Melancon said.

"The risk in paper-based collection is that many retailers no longer have effective processes or employee training designed to secure, monitor and control physical card slips," he noted. While a manual approach reduces one type of risk, it doesn't eliminate it entirely.

"It just moves the data protection problem to a different form," Melancon said. Since manual processing is not something that many at P.F. Chang's are likely to be familiar with, the company needs to have checks and balances in place to control the flow, access and processing of the physical pieces of cardholder data that are created, he said.

"The big challenge in restoring the confidence of customers, boards and internal confidence after a breach is your ability to recover and protect customer information. If it helps to step back and move to paper, then that is not a bad idea," Melancon added.

Mark Bower, vice president of product management and solutions architecture at Voltage Security, called the P.F. Chang's decision a potentially disruptive move for customers and the company. "Perhaps there is concern over repeat attacks. Maybe there are forensic or law enforcement investigation reasons," he said.

"Either way, what we often see is merchants who have suffered such a breach very quickly move to avoid the problem again by enhancing their payment processing systems" through various measures, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies