P.F. Chang's post-breach move to manual processing is telling
It suggests the company still doesn't know what happened
CareerJournal - The decision by P.F. Chang's China Bistro to switch to manual payment processing after a recent data breach at the restaurant chain is unusual, security experts said this week. But it's understandable.
In a statement Thursday, P.F. Chang's confirmed that someone had broken into its payment systems and accessed credit and debit card data belonging to customers. The U.S. Secret Service alerted P.F. Chang's of the security compromise on Tuesday and a subsequent investigation uncovered the breach, the company said.
As a precautionary measure, P.F. Chang's has moved to a manual credit card imprinting system for all of its restaurants in the U.S. Customers can continue using their credit and debit cards as usual while the company conducts an investigation.
An FAQ with the statement noted that P.F. Chang's has provided manual credit card imprinters to all of its franchise operations in the U.S. to prevent any further compromise of customer information.
The decision stands out because few companies have resorted to manual processing after a breach, at least recently. Even companies like Target that suffered massive breaches have typically continued using their payment systems while working through investigations.
The P.F. Chang's move suggests the company is having a hard time figuring out what happened, said Mike Lloyd, CTO at security vendor RedSeal Networks.
"This reaction from PF Chang's is external evidence of an internal truth: modern business infrastructure is complicated," Lloyd said. "When bad things happen, it's hard to figure out what is wrong, where and why." Clearly, the company no longer trusts its infrastructure, he said.
Dwayne Melancon, CTO at Tripwire, said the restaurant chain's move make sense if it doesn't know which systems to trust. "After all, if you are not sure which of your data systems you can trust, why would you risk putting even more data into those systems?"
Moving to physical collection of card information can reduce access and opportunity, because the information is no longer accessible on an open network -- but only for the short term, Melancon said.
"The risk in paper-based collection is that many retailers no longer have effective processes or employee training designed to secure, monitor and control physical card slips," he noted. While a manual approach reduces one type of risk, it doesn't eliminate it entirely.
"It just moves the data protection problem to a different form," Melancon said. Since manual processing is not something that many at P.F. Chang's are likely to be familiar with, the company needs to have checks and balances in place to control the flow, access and processing of the physical pieces of cardholder data that are created, he said.
"The big challenge in restoring the confidence of customers, boards and internal confidence after a breach is your ability to recover and protect customer information. If it helps to step back and move to paper, then that is not a bad idea," Melancon added.
Mark Bower, vice president of product management and solutions architecture at Voltage Security, called the P.F. Chang's decision a potentially disruptive move for customers and the company. "Perhaps there is concern over repeat attacks. Maybe there are forensic or law enforcement investigation reasons," he said.
"Either way, what we often see is merchants who have suffered such a breach very quickly move to avoid the problem again by enhancing their payment processing systems" through various measures, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Russian credential theft shows why the password is dead
- Cybersecurity should be professionalized
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts